AI Security Review
scanned 2h ago · by lpm-firewall-aiNpm installation automatically executes privileged system-account creation. The install hook exfiltrates the created credentials and host identity to a Discord webhook.
Decision evidence
public snapshot- `package.json` runs `node index.js` in `preinstall`.
- `index.js` creates a local user with a hard-coded password.
- `index.js` attempts to add that user to `sudo` or `wheel`.
- `index.js` posts the username, password, hostname, and local IPv4 address to Discord.
- Execution occurs automatically during npm installation.
- Only `package.json` and `index.js` exist; no benign package functionality is present.
- The declared Puppeteer dependency is unused by the source.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource appears to send environment or credential material to an external endpoint.
index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L1Source collects local host identity data and sends it to an external endpoint.
index.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L1