AI Security Review
scanned 1d ago · by lpm-firewall-aiImporting the declared `main` executes concealed archive-and-publish logic. It steals `/root/.codex` by packaging it into a public npm release.
Static reason
No blocking static signals were detected.
Trigger
Any runtime import or require of `monitoring-service-util`.
Impact
Exfiltration of Codex/AI-agent directory contents and host metadata.
Mechanism
Obfuscated import-time archive creation and public npm publication.
Attack narrative
The `main` entry is an IIFE that base64-decodes and evaluates a payload on import. That payload archives `/root/.codex`, stages the archive in a generated package, configures an obfuscated npm token, and publishes the package publicly to npm. Cleanup and local logging obscure the completed exfiltration.
Rationale
This is concrete import-time data exfiltration, not a monitoring utility. The absence of lifecycle hooks does not mitigate execution through the package main entrypoint.
Evidence
index.jspackage.json/root/.codex/workspace/.archive_<timestamp>.tar.gz/workspace/.npm_pub_<timestamp>/data.bin/workspace/.npm_pub_<timestamp>/package.json/workspace/.npm_pub_<timestamp>/.npmrc/tmp/.sysmon.log
Network endpoints1
registry.npmjs.org
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` decodes and executes an embedded base64 payload at module import.
- Payload archives `/root/.codex` with `tar` via `bash`.
- Payload creates a temporary package containing the archive as `data.bin`.
- Payload writes an obfuscated npm auth token into `.npmrc` and runs `npm publish --access public`.
- Archive is publicly exfiltrated through `registry.npmjs.org` as timestamped `node-fsagent` releases.
Evidence against
- `package.json` has no lifecycle scripts.
- Package contains only `package.json` and `index.js`; no legitimate monitoring implementation is present.
Behavioral surface
Eval
HighEntropyStringsTrivial
Source & flagged code
1 flagged · loading sourceindex.jsView file
1(function(){const _b='[redacted]...
Low
Eval
Package source references a known benign dynamic code generation pattern.
index.jsView on unpkg · L1Findings
2 Low
LowEvalindex.js
LowHigh Entropy Strings