registry  /  slackid  /  1.0.0

slackid@1.0.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is an inert Slack credential/configuration carrier rather than executable malware. Risk is exposure or reuse of embedded Slack token-looking strings and webhook URLs if they are real.

Static reason
One or more suspicious static signals were detected.
Trigger
package installation or source inspection exposing bundled text file
Impact
possible Slack workspace credential or webhook disclosure; no confirmed runtime compromise
Mechanism
bundled credential-looking Slack configuration file
Attack narrative
slackid@1.0.0 ships only a manifest and a text file containing Slack token-looking strings plus webhook URLs. There is no lifecycle hook or executable package code to harvest, exfiltrate, persist, or mutate agent control surfaces, so the observed risk is inert credential exposure rather than active malware.
Rationale
Static inspection confirms suspicious embedded Slack secrets but no install-time, import-time, or runtime attack behavior. Treat as warn-level credential exposure/inert carrier, not a publish-block malware package.
Evidence
package.json16-slack-token.txt
Network endpoints2
hooks.slack.com/services/T01234567/B01234567/xyzABCDEFGHIJKLMNOPQRSTUhooks.slack.com/services/T01234567/B09876543/ABCxyzDEFGHIJKLMNOPQRSTU

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • 16-slack-token.txt contains multiple Slack token-looking values and Slack webhook URLs.
  • package has no implementation file despite package.json main pointing to index.js.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • No JavaScript source files, imports, child_process, eval, dynamic loading, or runtime network code were present.
  • No credential harvesting or exfiltration logic was found; the secret material is inert package content.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

4 flagged · loading source
16-slack-token.txtView file
7patternName = slack_bot_token severity = critical line = 7 matchedText = Token: x...UVWx
Critical
Critical Secret

Package contains a critical-looking secret pattern.

16-slack-token.txtView on unpkg · L7
7patternName = slack_bot_token severity = critical line = 7 matchedText = Token: x...UVWx
Critical
Secret Pattern

Slack bot token in 16-slack-token.txt

16-slack-token.txtView on unpkg · L7
12patternName = slack_bot_token severity = critical line = 12 matchedText = Token: x...uVwX
Critical
Secret Pattern

Slack bot token in 16-slack-token.txt

16-slack-token.txtView on unpkg · L12
22patternName = slack_user_token severity = critical line = 22 matchedText = Token: x...wXyZ
Critical
Secret Pattern

Slack user token in 16-slack-token.txt

16-slack-token.txtView on unpkg · L22

Findings

4 Critical1 Low
CriticalCritical Secret16-slack-token.txt
CriticalSecret Pattern16-slack-token.txt
CriticalSecret Pattern16-slack-token.txt
CriticalSecret Pattern16-slack-token.txt
LowScripts Present