AI Security Review
scanned 3h ago · by lpm-firewall-aiImporting multer-orm loads an obfuscated downloader that fetches a URL from a Vercel endpoint, writes a chrome.exe under the user's Windows Chrome profile path, and executes it. This is unrelated to multipart upload middleware behavior.
Decision evidence
public snapshot- index.js imports ./lib/feature at module load, so requiring package triggers feature.js.
- lib/feature.js is obfuscated and runs mongooseCli immediately via !initialized guard.
- lib/feature.js contacts https://hilbert-self.vercel.app/ and parses downloader_url from JSON.
- lib/feature.js downloads remote file to Windows Chrome user data path as chrome.exe.
- lib/feature.js executes downloaded file with powershell Start-Process on Windows or execFile otherwise.
- package.json has no lifecycle hook, but import-time execution is present.
- Malicious path is gated to process.platform === win32.
- Code skips execution if Windows Explorer package path exists, limiting some hosts.
- No credential harvesting source was observed in package files inspected.
Source & flagged code
3 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/feature.jsView on unpkgSource contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
lib/feature.jsView on unpkg · L1