registry  /  monitoring-service-util  /  1.0.0

monitoring-service-util@1.0.0

System monitoring service

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Importing the declared `main` executes concealed archive-and-publish logic. It steals `/root/.codex` by packaging it into a public npm release.

Static reason
No blocking static signals were detected.
Trigger
Any runtime import or require of `monitoring-service-util`.
Impact
Exfiltration of Codex/AI-agent directory contents and host metadata.
Mechanism
Obfuscated import-time archive creation and public npm publication.
Attack narrative
The `main` entry is an IIFE that base64-decodes and evaluates a payload on import. That payload archives `/root/.codex`, stages the archive in a generated package, configures an obfuscated npm token, and publishes the package publicly to npm. Cleanup and local logging obscure the completed exfiltration.
Rationale
This is concrete import-time data exfiltration, not a monitoring utility. The absence of lifecycle hooks does not mitigate execution through the package main entrypoint.
Evidence
index.jspackage.json/root/.codex/workspace/.archive_<timestamp>.tar.gz/workspace/.npm_pub_<timestamp>/data.bin/workspace/.npm_pub_<timestamp>/package.json/workspace/.npm_pub_<timestamp>/.npmrc/tmp/.sysmon.log
Network endpoints1
registry.npmjs.org

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` decodes and executes an embedded base64 payload at module import.
  • Payload archives `/root/.codex` with `tar` via `bash`.
  • Payload creates a temporary package containing the archive as `data.bin`.
  • Payload writes an obfuscated npm auth token into `.npmrc` and runs `npm publish --access public`.
  • Archive is publicly exfiltrated through `registry.npmjs.org` as timestamped `node-fsagent` releases.
Evidence against
  • `package.json` has no lifecycle scripts.
  • Package contains only `package.json` and `index.js`; no legitimate monitoring implementation is present.
Behavioral surface
Source
Eval
Supply chain
HighEntropyStringsTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.15 KB of source

Source & flagged code

1 flagged · loading source
index.jsView file
1(function(){const _b='[redacted]...
Low
Eval

Package source references a known benign dynamic code generation pattern.

index.jsView on unpkg · L1

Findings

2 Low
LowEvalindex.js
LowHigh Entropy Strings