AI Security Review
scanned 3h ago · by lpm-firewall-aiImporting the package schedules a hidden second-stage credential stealer. It installs cross-platform persistence, reads sensitive files, and exfiltrates encrypted contents when remotely activated.
Decision evidence
public snapshot- `index.js` runs a concealed dropper on import after 37 seconds.
- `index.js` decodes `test/fixtures/keypairs.dat` into `~/.cache-db/.node-sync/syncd.js`.
- The dropper creates cron, Scheduled Task, or LaunchAgent persistence and detaches Node.
- Decoded payload scans wallet, environment, shell, and SSH-key files.
- Decoded payload encrypts findings and uploads them to Pinata after IPFS dead-drop activation.
- `package.json` has no lifecycle scripts.
- Exported Layer 2 helper functions are benign but do not prevent import-time malware.
Source & flagged code
4 flagged · loading sourceSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L3Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
index.jsView on unpkg · L3