AI Security Review
scanned 2h ago · by lpm-firewall-aiInstalling the package triggers a preinstall script. It downloads attacker-controlled text from a remote endpoint and evaluates it in the installer process.
Decision evidence
public snapshot- `package.json` defines `preinstall: node index.d.js`.
- `index.d.js` base64-decodes an async payload containing a remote fetch.
- The decoded payload fetches `https://everydaynodechecker-39143n.vercel.app/api/key?mem=root3`.
- The fetched response is passed directly to `eval`, enabling remote code execution at install time.
- `index.d.js` obscures `eval` via character codes and exposes `require` on `globalThis`.
- `index.js` is a local markdown-table formatter with no observed network, shell, or filesystem behavior.
- No benign package function requires an install-time remote payload fetch or dynamic evaluation.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource downloads or fetches remote code and executes it.
index.d.js#virtual:base64:round1View on unpkg · L1Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
index.d.js#virtual:base64:round1View on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.d.js#virtual:base64:round1View on unpkg · L1Source decodes a Base64-obscured HTTP endpoint at runtime.
index.d.jsView on unpkg · L4