AI Security Review
scanned 2h ago · by lpm-firewall-aiInstallation triggers `index.js` before package use. It executes a shell command that collects local account and system data, then exfiltrates it to a third-party webhook.
OSV Corroboration
OpenSSF/OSVDecision evidence
public snapshot- `package.json` runs `node index.js` in `preinstall`.
- `index.js` executes a shell command through `child_process.exec`.
- The command collects `/etc/passwd`, `/etc/hosts`, `id`, and readable `/etc/shadow`.
- Collected output is base64-encoded and POSTed to `webhook.site`.
- The external request includes the local username and hostname in its URL.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource executes local commands and sends command output to an external endpoint.
index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L1Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg