AI Security Review
scanned 2h ago · by lpm-firewall-aiImporting `index.js` schedules a hidden dropper after 37 seconds. It writes and executes a concealed Node payload that conditionally harvests credentials and persists across restarts.
Decision evidence
public snapshot- `index.js` runs an import-time delayed dropper.
- `index.js` decodes `test/fixtures/keypairs.dat` into a hidden executable.
- Decoded payload searches wallet, env, SSH, and key files.
- Payload encrypts findings and posts them to `api.pinata.cloud`.
- Payload uses Gist/IPFS activation checks and persists via cron, Scheduled Tasks, or launchd.
- `package.json` has no lifecycle scripts.
- The advertised chain/RPC helpers are benign but are followed by the hidden payload.
Source & flagged code
4 flagged · loading sourceSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L3Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
index.jsView on unpkg · L3