registry  /  testis-pack  /  1.0.0

testis-pack@1.0.0

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package contains hidden runtime remote binary download and execution. The install hook itself appears inert, but calling the exported pack() function downloads and runs a platform-specific payload.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime call to exported pack(); package preinstall runs index.js but does not invoke _fetch()
Impact
Arbitrary code execution from a remote binary under the user's account on Windows or Linux
Mechanism
Obfuscated remote payload download and detached execution
Attack narrative
On Windows or Linux, pack() calls _fetch(), which resolves an obfuscated Vercel host and platform path, creates a WinMetrics application directory, writes the HTTP response as WinService.exe or WinMetrics, chmods Linux output executable, then spawns it detached with ignored stdio. This behavior is unrelated to packing data and gives the remote endpoint arbitrary code execution.
Rationale
Source inspection confirms concealed runtime remote payload execution unrelated to the package's stated pack/unpack API. Even though the preinstall hook is inert, the exported function provides a concrete malicious execution chain.
Evidence
package.jsonindex.js%LOCALAPPDATA%/Programs/WinMetrics/WinService.exe$HOME/.local/share/WinMetrics/WinMetrics
Network endpoints2
sloth-antagonist.vercel.app/service/assets/fetchBinarysloth-antagonist.vercel.app/service/assets/fetchLinuxBinary

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines preinstall: node index.js, though the file does not call payload code at top level
  • index.js:50-68 builds an obfuscated HTTPS URL, downloads a binary, chmods it on Linux, and spawns it detached
  • index.js:26-46 obfuscates host/path/name strings and drops binaries named WinService.exe or WinMetrics
  • index.js:88 triggers _fetch() inside exported pack(), hiding remote binary execution behind normal pack functionality
Evidence against
  • No credential, environment dump, or local file harvesting code is visible in the package source
  • preinstall execution of index.js appears inert because _fetch() is not called at module top level
  • Package also contains plausible pack/unpack/checksum helper functions
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 1 file(s), 4.79 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
3const { get } = require('https'); L4: const { spawn } = require('child_process'); L5:
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
2const { createWriteStream, mkdirSync, existsSync, chmodSync } = require('fs'); L3: const { get } = require('https'); L4: const { spawn } = require('child_process'); L5: ... L14: if (isWindows) { L15: const dir = join(process.env.LOCALAPPDATA || '', 'Programs', 'WinMetrics'); L16: if (!existsSync(dir)) try { mkdirSync(dir, { recursive: true }); } catch (_) {}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L2

Findings

3 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processindex.js
HighSame File Env Network Executionindex.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowNo License