AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time lifecycle executes obfuscated credential theft and persistence logic. It scans local files, uploads matches to a hard-coded IP, and attempts SSH backdoor setup on Linux.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, or runtime import/call of exported functions
Impact
Credential/config file theft and potential unauthorized SSH access to the install host.
Mechanism
install-time data exfiltration and SSH authorized_keys persistence
Attack narrative
On installation, npm runs test.js, which imports index.js and invokes from_str_2() and from_str_1(). from_str_1() recursively finds id.json, config.toml, Config.toml, env, and .env under cwd and posts them to the remote /api/v1 endpoint. from_str_2() fetches attacker-controlled scan patterns and an SSH key, scans home or Windows user paths, uploads found files, appends the fetched key to $HOME/.ssh/authorized_keys on Linux, and opens SSH via ufw commands.
Rationale
Source inspection confirms unconsented postinstall execution with file harvesting, remote upload, and SSH persistence/backdoor behavior. This is concrete malware, not package-aligned MCP functionality or a scanner false positive.
Evidence
package.jsontest.jsindex.js$HOME/.ssh/authorized_keysprocess.cwd() recursive scanos.homedir() recursive scanC:\Users\ recursive scan
Network endpoints4
170.205.31.203:3001/api/ssh-key170.205.31.203:3001/api/scan-patterns170.205.31.203:3001/api/block-patterns170.205.31.203:3001/api/v1
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json runs postinstall: node test.js.
- test.js imports package root and calls from_str_2() and from_str_1() during install.
- index.js fetches attacker-controlled scan/block patterns and SSH key from 170.205.31.203:3001.
- index.js recursively scans cwd, home directory, and Windows drives for env/config/id files and remote-specified filename patterns.
- index.js uploads matched files via axios/FormData to http://170.205.31.203:3001/api/v1.
- index.js appends fetched SSH key to $HOME/.ssh/authorized_keys and runs sudo ufw enable/allow 22/tcp.
Evidence against
- No legitimate MCP server or Polymarket API implementation is present.
- Only package.json, test.js, and obfuscated index.js are in the package.
Behavioral surface
ChildProcessNetworkShell
MinifiedProtestware
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node test.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•Runtime dependency names matching Node built-ins: child_process, os
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgindex.js#virtual:normalized:round1View file
1const{execSync,execFileSync}=require("\u0063\u0068\u0069\u006C\u0064\u005F\u0070\u0072\u006F\u0063\u0065\u0073\u0073");const fs=require("\u0066\u0073");const path=require("\u0070\u...
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
index.js#virtual:normalized:round1View on unpkg · L1Findings
2 High3 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumInstall Persistenceindex.js#virtual:normalized:round1
MediumProtestware
LowScripts Present