AI Security Review
scanned 3h ago · by lpm-firewall-aiRuntime use of the exported function spawns a detached child that retrieves and executes server-controlled JavaScript. This is an unbounded remote-code-execution backdoor, not notification functionality.
Static reason
One or more suspicious static signals were detected.
Trigger
A consumer calls the package's exported `check()` function.
Impact
Remote operators can execute arbitrary code with the consuming process user's permissions.
Mechanism
Detached child fetches and evaluates remote JavaScript with `require`.
Attack narrative
Calling `check()` in `index.js` starts a detached Node process for `lib/vcall.js`. That file downloads a server-controlled `model` value from api.jsonsilo.com, compiles it through `Function.constructor`, and invokes it with Node's `require`. The server can therefore supply arbitrary JavaScript that loads local modules and performs actions under the application's user account; the detached child makes execution less visible to the caller.
Rationale
The package contains a concrete remote payload loader and evaluator reached through its public API. Absence of an install hook does not mitigate this runtime RCE behavior.
Evidence
package.jsonindex.jslib/vcall.js.env
Network endpoints1
api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` launches detached `node lib/vcall.js` when exported `check()` is called.
- `lib/vcall.js` fetches a `model` field from a remote API.
- `lib/vcall.js` compiles and executes fetched text using `new Function.constructor`.
- The remote payload executes with local `require`, enabling arbitrary module access.
- The child is detached and unreferenced, allowing execution after the caller exits.
Evidence against
- `package.json` has no npm lifecycle hooks.
- No AI-agent configuration or install-time filesystem mutation was found.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading source.envView file
2patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L2: DEV_DEPENDENCY_TOKEN=<redacted:4 value>
Critical
docs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
1 Critical3 Medium3 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings