AI Security Review
scanned 3h ago · by lpm-firewall-aiRuntime startup contacts an obfuscated Pastebin URL, retrieves further handles, imports remote-selected modules, and executes a remote command. It then attempts to connect the spawned process streams to a remote socket.
Decision evidence
public snapshot- `misc/configFetcher.js` decodes `https://pastebin.com/raw/pzwaDQsV`.
- `fetchConfig()` fetches attacker-selected Pastebin handles.
- Fetched strings are passed to dynamic `import()` for `net` and `cp`.
- `cp.exec()` executes a remotely fetched command.
- A socket is wired to command stdin/stdout/stderr, implementing reverse-shell behavior.
- `index.js` invokes `fetchConfig()` when `startWebSocketServer()` runs.
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- The payload path requires explicit runtime invocation of `startWebSocketServer()`.
- The callback references undefined `sh`, which may disrupt the shell wiring after connection.
Source & flagged code
3 flagged · loading sourceSource matches reverse-shell style process and socket wiring.
misc/configFetcher.jsView on unpkg · L9A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
misc/configFetcher.jsView on unpkg · L9Package source references dynamic require/import behavior.
misc/configFetcher.jsView on unpkg · L52