AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package runs index.js during npm postinstall and exfiltrates host fingerprint data. It has no apparent benign runtime functionality beyond the exfiltration routine.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or any install flow that runs postinstall scripts
Impact
Leaks hostname, username, current working directory, local IPv4 address, and package name to an external OAST endpoint.
Mechanism
install-time host fingerprint collection and HTTP exfiltration
Attack narrative
On installation, npm runs the postinstall script `node index.js`. The script gathers host identity and environment location data, including hostname, username, current working directory, external IPv4 address, and package name, serializes it as JSON, and posts it to an external oast.fun HTTP endpoint.
Rationale
Direct source inspection confirms unconsented install-time host fingerprint exfiltration to an external endpoint, with no benign package behavior to justify the data collection. This is concrete malicious behavior suitable for blocking.
Evidence
package.jsonindex.js
Network endpoints1
lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun:80/receive-data
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json defines postinstall: node index.js, causing install-time execution.
- index.js collects os.hostname(), process.cwd(), os.userInfo().username, and external IPv4 address.
- index.js sends collected host/user/path/IP/package data via HTTP POST.
- External endpoint is lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun:80/receive-data.
- No package functionality besides install-time host fingerprint exfiltration is present.
Evidence against
- No child_process, eval/vm/Function, native binary loading, persistence, or destructive file operations found.
- Only package files present are package.json and index.js.
Behavioral surface
Network
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgindex.jsView file
2const { networkInterfaces } = require('os');
L3: const http = require('http');
L4:
L5: // Read package name from package.json
L6: const packageJson = require('./package.json');
...
L9: // Fetch system info
L10: const hostname = os.hostname();
L11: const path = process.cwd();
...
L62: req.on('error', (error) => {
L63: console.error('Error sending data:', error);
L64: });
High
Host Fingerprint Exfiltration
Source collects local host identity data and sends it to an external endpoint.
index.jsView on unpkg · L2Findings
2 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationindex.js
MediumNetwork
LowScripts Present