AI Security Review
scanned 8h ago · by lpm-firewall-aiImporting either Node entrypoint activates a hidden payload. The CJS build targets a foreign dependency file; the ESM build executes decrypted content supplied by `thedata`.
Decision evidence
public snapshot- `dist/sigchain-js.esm.js` imports `desKey` from `thedata`, decrypts it, and runs it with detached `node`.
- `dist/sigchain-js.cjs.js` reads `node_modules/tchain-api/apps/docs/app/rsa.db`, decrypts it with hard-coded `hydra`, then pipes it to detached `node`.
- Both payloads run in top-level async IIFEs during module initialization; no user API call is required.
- `src/` and `rollup.config.js` contain neither the payload logic nor its imports, indicating malicious compiled-artifact injection.
- `package.json` defines no install, preinstall, or postinstall lifecycle hook.
- No concrete network endpoint is present in the confirmed injected execution chain.
Source & flagged code
10 flagged · loading sourceSource spawns a local helper that fetches and dynamically executes remote code.
dist/sigchain-js.cjs.jsView on unpkg · L18A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/sigchain-js.cjs.jsView on unpkg · L18Package source references child process execution.
dist/sigchain-js.cjs.jsView on unpkg · L18Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/sigchain-js.cjs.jsView on unpkgPackage contains source files above the static scanner size ceiling.
dist/sigchain-js.umd.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/sigchain-js.esm.jsView on unpkg