registry  /  telemetry-metrics  /  0.2.1

telemetry-metrics@0.2.1

Modular metrics for Node.js

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A caller invoking `plugin()` triggers a remote payload download and Windows system-path write. This is a concrete staged-payload dropper behavior, though it is not install-time.

Static reason
No blocking static signals were detected.
Trigger
Runtime call to `require('telemetry-metrics')().plugin()`
Impact
Writes attacker-controlled remote content to a privileged-looking Windows path.
Mechanism
Fetches remote bytes and synchronously drops them under `C:\Windows`
Attack narrative
The package adds an undocumented `Control.plugin()` method that downloads arbitrary bytes from a hard-coded third-party GitHub repository and writes them to `C:\Windows\1.txt`. No integrity verification, user-supplied destination, or documented telemetry purpose exists. The code does not execute the dropped file itself, but it acts as a remote staged-payload carrier.
Rationale
Source inspection confirms concrete remote download-and-drop behavior unrelated to the package’s metrics API. Lack of lifecycle hooks limits activation to an explicit runtime call but does not remove the malicious payload-delivery capability.
Evidence
package.jsonindex.jslib/control.jslib/plugin-options.jslib/runner.jslib/task.jsREADME.mdC:\Windows\1.txt
Network endpoints1
raw.githubusercontent.com/ThoSuperstarDev/axios-http/main/lib/env/te.txt

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `lib/control.js` exposes an undocumented runtime `plugin()` method.
  • Calling it fetches remote bytes from `raw.githubusercontent.com`.
  • `lib/plugin-options.js` writes those bytes to `C:\Windows\1.txt`.
  • The downloaded content is unauthenticated and not package-aligned.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • No credential harvesting, shell execution, or payload execution appears elsewhere in package source.
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 14.9 KB of source, external domains: raw.githubusercontent.com

Source & flagged code

2 flagged · loading source
lib/control.jsView file
Published source reference
High
Ai Review Evidence

`lib/control.js` exposes an undocumented runtime `plugin()` method.

lib/control.jsView on unpkg
lib/plugin-options.jsView file
Published source reference
High
Ai Review Evidence

`lib/plugin-options.js` writes those bytes to `C:\Windows\1.txt`.

lib/plugin-options.jsView on unpkg

Findings

4 High1 Medium3 Low
HighAi Review Evidencelib/control.js
HighAi Review Evidence
HighAi Review Evidencelib/plugin-options.js
HighAi Review Evidence
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings