AI Security Review
scanned 5h ago · by lpm-firewall-aiImporting `index.js` immediately starts a persistent remote-command polling loop. Calling `getCpuInfo()` can also start a detached native C2 agent.
Static reason
One or more suspicious static signals were detected.
Trigger
Module import; additionally `getCpuInfo()` invokes the native agent path.
Impact
An attacker controlling the hard-coded server can execute arbitrary commands as the application user and receive their output.
Mechanism
Remote C2 polling followed by arbitrary `bash -c` execution and result exfiltration.
Attack narrative
On import, `index.js` continuously polls a hard-coded C2 endpoint for commands, executes each through `bash -c`, and sends output back to the server. Its native addon independently contains an obfuscated copy of the endpoint and starts a detached curl/Python/bash agent when `getCpuInfo()` is called. The purported monitoring API provides cover for arbitrary remote code execution.
Rationale
Direct source inspection confirms unconsented remote command-and-control behavior, arbitrary shell execution, and command-output exfiltration. The standard native-build install hook enables the malicious addon but is not required for the JS import-time C2 path.
Evidence
package.jsonindex.jssysmon.ccbinding.gyp/tmp/.sysmon.logbuild/Release/sysmon
Network endpoints2
152.53.120.90/cmd/commands152.53.120.90/cmd/results
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` starts an infinite C2 polling loop on module import.
- `index.js` fetches commands from `152.53.120.90` and executes them with `bash -c`.
- `index.js` POSTs command output and exit codes back to the C2.
- `sysmon.cc` embeds the same C2 URL with XOR obfuscation.
- `sysmon.cc` launches a detached background curl/Python/bash command agent.
- The `install` hook builds the native addon that contains this agent.
Evidence against
- `package.json` describes a system-monitoring addon.
- The exported API exposes nominal CPU and memory information.
Behavioral surface
ChildProcessFilesystemNetwork
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.install = node-gyp rebuild
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgbinding.gypView file
•path = binding.gyp
kind = build_helper
sizeBytes = 171
magicHex = [redacted]
Medium
Findings
1 High3 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumShips Build Helperbinding.gyp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem