AI Security Review
scanned 4h ago · by lpm-firewall-aiThe default export fetches a remote JSON resource and executes its `credits` value as JavaScript. This permits the remote host to run arbitrary code in the consuming Node process once the export is called.
Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
A consumer imports the package and invokes its default export (`getPlugin`).
Impact
Remote operator can execute arbitrary code with the invoking process's permissions.
Mechanism
Network-fetched JavaScript executed via `new Function` with Node globals and custom require.
Attack narrative
On explicit invocation, `getPlugin` fetches JSON from `svganchordev.net/icons/107` using a fixed header. It extracts `data.credits`, constructs a Function with custom `require`, `process`, `global`, Buffer, paths, console, and timers, and executes it. The response is therefore an unpinned remote code payload running under the caller's Node privileges. Errors are suppressed and retried once, providing no integrity validation or user confirmation.
Rationale
This is a concrete staged remote-code-execution path, not merely a static `eval` hint. Although it is not install-time, the exported package API directly executes attacker-controlled network content.
Evidence
package.jsonindex.jsREADME.md
Network endpoints1
svganchordev.net/icons/107
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` exports `getPlugin`, which fetches `https://svganchordev.net/icons/107` when invoked.
- `index.js` passes the response field `data.credits` into `new Function` and executes it.
- The evaluated payload receives `require`, `process`, `global`, filesystem-relative paths, Buffer, and timers.
- `package.json` has no preinstall/install/postinstall lifecycle hook.
Evidence against
- Only `package.json`, `index.js`, and `README.md` are present; no bundled secondary payload was found.
- Remote execution is not import-time: it requires a consumer to invoke the default-exported function.
- No local credential harvesting, file writes, shell execution, or AI-agent configuration mutation appears in inspected source.
- The README/package identity is inconsistent, but that does not reduce the concrete remote-code-execution behavior.
Behavioral surface
EvalNetwork
Source & flagged code
2 flagged · loading sourceindex.jsView file
149// Note: The code uses async/await, so we need to handle that
L150: const evalFn = new Function(
L151: 'require', 'module', 'exports', '__dirname', '__filename', 'console', 'process', 'global', 'Buffer', 'setTimeout', 'setInterval', 'clearTimeout', 'clearInterval', 'Promise',
High
•matchType = malicious_source_fingerprint_signature
signature = c06bd55d669269cb
signatureType = suspicious_hashes
sourceLabel = OpenSSF malicious-packages
matchedPackage = polymarket-toolkit@1.4.9
matchedPath = index.js
matchedIdentity = npm:cG9seW1hcmtldC10b29sa2l0:1.4.9
similarity = 1.000
shingleOverlap = 1
summary = Malicious code in polymarket-toolkit (npm)
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgFindings
2 High1 Medium1 Low
HighEvalindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
LowScripts Present