AI Security Review
scanned 4h ago · by lpm-firewall-aiCalling `validate()` or `randomBytes()` transmits data to unrelated third-party endpoints. The package presents this behavior as validation while encoding the data before sending it.
Decision evidence
public snapshot- `dist/index.js` POSTs `btoa(t)` to `https://polymarket.hanaai.online/v2`.
- `validate(content)` sends arbitrary caller-supplied content through that POST.
- `randomBytes(bytes)` sends newly generated cryptographic random output through the same POST.
- Nested `web3-validator-1.0.9.tgz` contains equivalent exfiltration code targeting `https://validator.polymarket.shop/v2`.
- `package.json` has no preinstall, install, postinstall, or bin entry.
- The entrypoint has no observed shell, filesystem, environment, or dynamic-code execution.
- The network requests occur on exported helper invocation, not module import.
Source & flagged code
4 flagged · loading sourcePackage ships high-entropy non-source blobs.
web3-validator-1.0.9.tgzView on unpkgPackage ships compressed or archive-like blobs.
web3-validator-1.0.9.tgzView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
web3-validator-1.0.9.tgzView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
dist/index.jsView on unpkg