AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time code fetches and executes a remote script from a hardcoded IP. The runtime library itself is benign-looking date formatting code, but installation triggers remote code execution.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle
Impact
arbitrary remote code execution on installer host
Mechanism
download-and-execute remote script via shell
Attack narrative
On installation, package.json invokes postinstall.js. That script detects the OS, then on Unix downloads a hardcoded HTTP URL with curl or wget and pipes it to sh; on Windows it uses certutil to save a batch file under C:\Users\Public\run.bat and executes it. This gives the remote host arbitrary code execution during package installation.
Rationale
The malicious behavior is concrete and lifecycle-triggered: postinstall.js fetches unauthenticated remote content from 115.190.124.243 and executes it. The date utility files do not mitigate the install-time RCE payload.
Evidence
package.jsonpostinstall.jsindex.jsREADME.mdindex.d.tsC:\Users\Public\run.bat
Network endpoints2
115.190.124.243:8761/slt115.190.124.243:8761/swt
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json runs postinstall: node postinstall.js
- postinstall.js uses child_process.execSync during install
- postinstall.js downloads http://115.190.124.243:8761/slt or /swt
- Unix path pipes downloaded content directly to sh
- Windows path downloads to C:\Users\Public\run.bat and executes it
- Package poses as date-fns-lite while named npm-rce-poc
Evidence against
- index.js only exports date formatting helpers
- No credential harvesting code is present in local source
Behavioral surface
ChildProcess
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present