registry  /  notifier-funcs  /  1.3.4

notifier-funcs@1.3.4

Enable Notifications

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Runtime use of the exported function spawns a detached child that retrieves and executes server-controlled JavaScript. This is an unbounded remote-code-execution backdoor, not notification functionality.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer calls the package's exported `check()` function.
Impact
Remote operators can execute arbitrary code with the consuming process user's permissions.
Mechanism
Detached child fetches and evaluates remote JavaScript with `require`.
Attack narrative
Calling `check()` in `index.js` starts a detached Node process for `lib/vcall.js`. That file downloads a server-controlled `model` value from api.jsonsilo.com, compiles it through `Function.constructor`, and invokes it with Node's `require`. The server can therefore supply arbitrary JavaScript that loads local modules and performs actions under the application's user account; the detached child makes execution less visible to the caller.
Rationale
The package contains a concrete remote payload loader and evaluator reached through its public API. Absence of an install hook does not mitigate this runtime RCE behavior.
Evidence
package.jsonindex.jslib/vcall.js.env
Network endpoints1
api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` launches detached `node lib/vcall.js` when exported `check()` is called.
  • `lib/vcall.js` fetches a `model` field from a remote API.
  • `lib/vcall.js` compiles and executes fetched text using `new Function.constructor`.
  • The remote payload executes with local `require`, enabling arbitrary module access.
  • The child is detached and unreferenced, allowing execution after the caller exits.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • No AI-agent configuration or install-time filesystem mutation was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 51.6 KB of source, external domains: api.jsonsilo.com, github.com

Source & flagged code

2 flagged · loading source
2patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L2: DEV_DEPENDENCY_TOKEN=<redacted:4 value>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L2
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

1 Critical3 Medium3 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings