AI Security Review
scanned 4h ago · by lpm-firewall-aiCalling the exported function starts a detached Node child process. That child fetches remotely controlled JavaScript and executes it with CommonJS module-loading access.
Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
A consumer invokes the default/named export from `index.js`.
Impact
A remote endpoint can run arbitrary code with the permissions of the consuming user or service.
Mechanism
Detached staged remote-code execution through `Function` constructor.
Attack narrative
Normal runtime use invokes `check` in `index.js`, which launches `lib/vcall.js` as a detached child. At module load, that file retrieves a `model` value from the remote JSONSilo endpoint, constructs executable code from the returned text, and calls it with `require`. This provides the remote operator arbitrary runtime code execution without an integrity check, user disclosure, or package-aligned feature justification.
Rationale
The inspected source establishes an active, user-triggered remote payload execution chain. No lifecycle hook is needed for this to be malicious because ordinary use triggers arbitrary code fetched from a remote endpoint.
Evidence
package.jsonindex.jslib/vcall.js.env
Network endpoints1
api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` invokes detached `node lib/vcall.js` whenever its export is called.
- `lib/vcall.js` fetches a `model` field from `https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5`.
- `lib/vcall.js` compiles fetched content using `new Function.constructor` and executes it with `require`.
- `.env` contains redacted development credential keys, adding supply-chain hygiene concern.
Evidence against
- `package.json` contains no `preinstall`, `install`, or `postinstall` hook.
- Reviewed trigger path shows no direct local credential reading, file writes, or destructive action before remote code runs.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading source.envView file
2patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L2: DEV_DEPENDENCY_TOKEN=<redacted:4 value>
Critical
index.jsView file
•matchType = malicious_source_fingerprint_signature
signature = edfaf93641481f1b
signatureType = suspicious_hashes
sourceLabel = final_verdict:malicious
matchedPackage = async-chain-dom@1.3.5
matchedPath = index.js
matchedIdentity = npm:YXN5bmMtY2hhaW4tZG9t:1.3.5
similarity = 1.000
shingleOverlap = 12
summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgdocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
1 Critical1 High3 Medium3 Low
CriticalCritical Secret.env
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings