registry  /  testing-d3do  /  99.9.9

testing-d3do@99.9.9

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package runs index.js during npm postinstall and exfiltrates host fingerprint data. It has no apparent benign runtime functionality beyond the exfiltration routine.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or any install flow that runs postinstall scripts
Impact
Leaks hostname, username, current working directory, local IPv4 address, and package name to an external OAST endpoint.
Mechanism
install-time host fingerprint collection and HTTP exfiltration
Attack narrative
On installation, npm runs the postinstall script `node index.js`. The script gathers host identity and environment location data, including hostname, username, current working directory, external IPv4 address, and package name, serializes it as JSON, and posts it to an external oast.fun HTTP endpoint.
Rationale
Direct source inspection confirms unconsented install-time host fingerprint exfiltration to an external endpoint, with no benign package behavior to justify the data collection. This is concrete malicious behavior suitable for blocking.
Evidence
package.jsonindex.js
Network endpoints1
lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun:80/receive-data

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node index.js, causing install-time execution.
  • index.js collects os.hostname(), process.cwd(), os.userInfo().username, and external IPv4 address.
  • index.js sends collected host/user/path/IP/package data via HTTP POST.
  • External endpoint is lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun:80/receive-data.
  • No package functionality besides install-time host fingerprint exfiltration is present.
Evidence against
  • No child_process, eval/vm/Function, native binary loading, persistence, or destructive file operations found.
  • Only package files present are package.json and index.js.
Behavioral surface
Source
Network
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.54 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
2const { networkInterfaces } = require('os'); L3: const http = require('http'); L4: L5: // Read package name from package.json L6: const packageJson = require('./package.json'); ... L9: // Fetch system info L10: const hostname = os.hostname(); L11: const path = process.cwd(); ... L62: req.on('error', (error) => { L63: console.error('Error sending data:', error); L64: });
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

index.jsView on unpkg · L2

Findings

2 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationindex.js
MediumNetwork
LowScripts Present