AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` exports `getPlugin`, which fetches `https://bet.slotgambit.com/icons/106`.
- `index.js` passes remotely returned `data.credits` to `new Function(...)`.
- The generated function receives `require`, `process`, `globalThis`, `Buffer`, and filesystem-relevant paths.
- `index.js` resolves modules from the package and a sibling `../react-svg-helper` directory.
- `package.json` declares unrelated native, DPAPI, machine-ID, SQLite, HTTP, and socket dependencies.
- `README.md` documents a different package/API and does not disclose remote code execution.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
- The remote fetch and evaluation occur only when a consumer invokes exported `getPlugin`.
- Inspected source contains no direct credential read, file write, or exfiltration code before payload execution.
Behavioral surface
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 5.96 KB of source