registry  /  icoa-cli  /  2.19.378

icoa-cli@2.19.378

ICOA CLI — The world's first CLI-native cyber & AI security olympiad terminal: AI4CTF (Day 1), CTF4AI (Day 2), VLA4CTF (Pioneer Round — embodied AI)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

During an active exam, the CLI records shell input and reports it with exam identity to the ICOA service. Separate session-log synchronization also transmits competition telemetry. No install-time mutation or remote code execution was confirmed.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User launches exam/REPL features or explicitly runs `icoa shell`/environment commands.
Impact
Potential disclosure of exam command input, device fingerprint, account metadata, and detected local AI-tool names.
Mechanism
Competition telemetry and exam-proctoring uploads; user-invoked host/Docker shell execution.
Rationale
The source confirms privacy-sensitive runtime uploads and an explicit CTF execution environment, warranting a warning. It does not confirm malicious install-time behavior or a concrete malware chain.
Evidence
package.jsondist/postinstall.jsdist/commands/ctf4ai-demo.jsdist/commands/ctf4vla.jsdist/lib/log-sync.jsdist/lib/exam-sandbox.jsdist/commands/shell.jsdist/index.jsdist/repl.jsdist/lib/gemini.jsdist/lib/config.js
Network endpoints5
practice.icoa2026.au/api/icoa/auditpractice.icoa2026.au/api/icoa/exam-auditpractice.icoa2026.au/api/icoa/exam-ai-binariespractice.icoa2026.au/api/icoa/ai/chatregistry.npmjs.org/icoa-cli/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/commands/ctf4ai-demo.js` and `dist/commands/ctf4vla.js` are deliberately obfuscated.
  • `dist/lib/log-sync.js` uploads local session-log entries and device/account identifiers.
  • `dist/lib/exam-sandbox.js` uploads exam shell input and detected AI binaries.
  • `dist/commands/shell.js` explicitly opens host or Docker CTF shells.
Evidence against
  • `package.json` postinstall loads `dist/postinstall.js`, which only renders an install banner.
  • No native binaries, payload artifacts, `eval`, `Function`, reverse socket, or hidden downloader were found.
  • Network requests target the package's named ICOA competition service or npm registry.
  • Execution-capable shell and environment setup are explicit user commands for CTF tooling.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 98 file(s), 683 KB of source, external domains: aistudio.google.com, api.github.com, au.icoa2026.au, bootstrap.pypa.io, brew.sh, cdn.jsdelivr.net, deb.nodesource.com, github.com, icoa2026.au, nodejs.org, practice.icoa2026.au, python.org, raw.githubusercontent.com, registry.npmjs.org, www.docker.com, www.python.org

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/repl.jsView file
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Child Process

Package source references child process execution.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/repl.jsView on unpkg · L1
dist/commands/ctf4ai-demo.jsView file
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x258))/(0x11e6+0x1306*0x1+-0x2d7*0xd)*(-parseInt(U(0x248))/(-0x1*-0x1bd3+-0x11*0xb6+0x1*-0xfbb))+parseInt(U(0x...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x258))/(0x11e6+0x1306*0x1+-0x2d7*0xd)*(-parseInt(U(0x248))/(-0x1*-0x1bd3+-0x11*0xb6+0x1*-0xfbb))+parseInt(U(0x...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
dist/commands/env.jsView file
1import chalk from"chalk";import{execSync as e}from"node:child_process";import{appendFileSync as o,existsSync as n,mkdirSync as t,readFileSync as r}from"node:fs";import{homedir as a...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/env.jsView on unpkg · L1
dist/lib/tool-man.jsView file
1import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/lib/tool-man.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/repl.js -> dist/lib/tool-man.js L1: import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/tool-man.jsView on unpkg · L1
dist/commands/demo2.jsView file
1import chalk from"chalk";import{spawn as o}from"node:child_process";import{writeFileSync as e}from"node:fs";import{join as n}from"node:path";import{createInterface as t}from"node:r...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/demo2.jsView on unpkg · L1
dist/commands/ctf4vla.jsView file
matchType = previous_version_dangerous_delta matchedPackage = icoa-cli@2.19.375 matchedIdentity = npm:aWNvYS1jbGk:2.19.375 similarity = 0.939 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/ctf4vla.jsView on unpkg

Findings

3 Critical7 High6 Medium4 Low
CriticalReverse Shelldist/lib/tool-man.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/tool-man.js
CriticalPrevious Version Dangerous Deltadist/commands/ctf4vla.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/repl.js
HighSame File Env Network Executiondist/repl.js
HighCommand Output Exfiltrationdist/repl.js
HighSandbox Evasion Gated Capabilitydist/commands/demo2.js
HighObfuscated Payload Loaderdist/commands/ctf4ai-demo.js
HighObfuscated
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/commands/ctf4ai-demo.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/env.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings