AI Security Review
scanned 3h ago · by lpm-firewall-aiInstall-time remote-code execution is confirmed. Installing the package runs an obfuscated loader that fetches and evaluates server-controlled JavaScript.
Decision evidence
public snapshot- `package.json` defines `preinstall: node index.d.js`.
- `index.d.js` decodes an obfuscated Base64 payload.
- Decoded payload fetches `https://everydaynodechecker-39143n.vercel.app/api/key?mem=root0`.
- Fetched response text is executed with `eval` during preinstall.
- `index.d.js` also constructs `eval` dynamically before invoking it.
- `index.js` is a local markdown-table formatter with no observed network or execution behavior.
- No benign package functionality requires the preinstall downloader.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource downloads or fetches remote code and executes it.
index.d.js#virtual:base64:round1View on unpkg · L1Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
index.d.js#virtual:base64:round1View on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.d.js#virtual:base64:round1View on unpkg · L1Source decodes a Base64-obscured HTTP endpoint at runtime.
index.d.jsView on unpkg · L3