AI Security Review
scanned 3h ago · by lpm-firewall-aiInstalling the package triggers an obfuscated remote-code loader before normal use. The fetched response is evaluated in the installer’s Node.js process.
Decision evidence
public snapshot- `package.json` registers `preinstall: node index.d.js`.
- `index.d.js` decodes an obfuscated Base64 payload at install time.
- Decoded payload fetches a remote `/api/key?mem=root1` response.
- Decoded payload passes the fetched response to `eval`.
- The lifecycle path runs without an explicit user command beyond installation.
- `index.js` is a local markdown-table formatter with no network or process primitives.
- No package source evidence shows the advertised formatter needs remote code execution.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource downloads or fetches remote code and executes it.
index.d.js#virtual:base64:round1View on unpkg · L1Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
index.d.js#virtual:base64:round1View on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.d.js#virtual:base64:round1View on unpkg · L1Source decodes a Base64-obscured HTTP endpoint at runtime.
index.d.jsView on unpkg · L4