registry  /  icoa-cli  /  2.19.392

icoa-cli@2.19.392

ICOA CLI — The world's first CLI-native cyber & AI security olympiad terminal: AI4CTF (Day 1), CTF4AI (Day 2), VLA4CTF (Pioneer Round — embodied AI)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

User-launched CTF modes load obfuscated modules that invoke Gemini, fetch package-aligned competition resources, and may spawn local tools/viewers. The install hook only prints a progress animation; no confirmed install-time attack surface exists.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs icoa and enters ctf4ai or ctf4eai modes.
Impact
User-triggered execution can access configured Gemini credentials and launch local helper processes; obfuscation prevents a clean safety determination.
Mechanism
Obfuscated interactive CTF workflow with dynamic child-process use and remote challenge retrieval.
Rationale
No concrete malicious install-time or stealth attack chain was confirmed, so a block is not justified. Obfuscated runtime code with dynamic process execution and remote challenge handling warrants a warning.
Evidence
package.jsondist/postinstall.jsdist/index.jsdist/commands/ctf4ai-demo.jsdist/commands/ctf4vla.jsdist/lib/config.jsdist/lib/tool-man.js~/.icoa/config.json
Network endpoints2
practice.icoa2026.auaistudio.google.com/apikey

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/ctf4ai-demo.js is heavily obfuscated and dynamically imports child_process.
  • dist/commands/ctf4vla.js is heavily obfuscated, fetches challenge content, writes it, and spawns a local viewer.
  • dist/commands/ctf4ai-demo.js creates a Gemini chat session for an interactive CTF prompt-injection exercise.
  • dist/lib/config.js persists CLI state under ~/.icoa.
  • dist/index.js imports the obfuscated CTF modules at CLI startup.
Evidence against
  • package.json postinstall only loads dist/postinstall.js.
  • dist/postinstall.js only renders installation progress to stdout.
  • No preinstall hook or observed lifecycle network, shell, file, or agent-config mutation.
  • dist/lib/tool-man.js contains command-reference text; no socket or process implementation.
  • No .ssh, .npmrc, AI-agent configuration, credential harvesting, or exfiltration path was found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 101 file(s), 718 KB of source, external domains: aistudio.google.com, api.github.com, au.icoa2026.au, bootstrap.pypa.io, brew.sh, cdn.jsdelivr.net, deb.nodesource.com, github.com, icoa2026.au, nodejs.org, practice.icoa2026.au, python.org, raw.githubusercontent.com, registry.npmjs.org, www.docker.com, www.python.org

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/repl.jsView file
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Child Process

Package source references child process execution.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/repl.jsView on unpkg · L1
dist/commands/ctf4ai-demo.jsView file
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=parseInt(U(0x2a0))/(-0x3b*0x24+-0x1b32+-0x2bb*-0xd)*(-parseInt(U(0x277))/(-0x12*-0x134+-0x661+-0x3*0x517))+-parseInt(U(0x20...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=parseInt(U(0x2a0))/(-0x3b*0x24+-0x1b32+-0x2bb*-0xd)*(-parseInt(U(0x277))/(-0x12*-0x134+-0x661+-0x3*0x517))+-parseInt(U(0x20...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
dist/commands/env.jsView file
1import chalk from"chalk";import{execSync as e}from"node:child_process";import{appendFileSync as o,existsSync as n,mkdirSync as t,readFileSync as r}from"node:fs";import{homedir as a...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/env.jsView on unpkg · L1
dist/lib/tool-man.jsView file
1import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/lib/tool-man.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/repl.js -> dist/lib/tool-man.js L1: import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/tool-man.jsView on unpkg · L1
dist/commands/demo2.jsView file
1import chalk from"chalk";import{spawn as o}from"node:child_process";import{writeFileSync as e}from"node:fs";import{join as n}from"node:path";import{createInterface as t}from"node:r...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/demo2.jsView on unpkg · L1
dist/commands/ctf4vla.jsView file
matchType = previous_version_dangerous_delta matchedPackage = icoa-cli@2.19.391 matchedIdentity = npm:aWNvYS1jbGk:2.19.391 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/ctf4vla.jsView on unpkg

Findings

3 Critical6 High6 Medium5 Low
CriticalReverse Shelldist/lib/tool-man.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/tool-man.js
CriticalPrevious Version Dangerous Deltadist/commands/ctf4vla.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/repl.js
HighSame File Env Network Executiondist/repl.js
HighCommand Output Exfiltrationdist/repl.js
HighSandbox Evasion Gated Capabilitydist/commands/demo2.js
HighObfuscated Payload Loaderdist/commands/ctf4ai-demo.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/commands/ctf4ai-demo.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/env.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings