AI Security Review
scanned 10h ago · by lpm-firewall-aiThe package entrypoint is an obfuscated credential-stealing payload. Importing or executing `index.js` starts `run()` and includes a worker-based HTTP POST exfiltration path.
Decision evidence
public snapshot- `index.js` executes `run()` at top level.
- `index.js` reads APPDATA, LOCALAPPDATA, and the home directory.
- `index.js` defines Discord token patterns and AES-GCM decryption.
- `index.js` collects `discord`, `passwords`, `cookies`, `roblox`, `cards`, and `screenshot` data.
- `index.js` embeds a Discord webhook and POST relay to `150.136.37.62:5000/api/v2/c`.
- `index.js` uses `child_process.execSync`, filesystem access, and worker-thread relay code.
- `package.json` contains no preinstall, install, or postinstall lifecycle hook.
- Only `package.json` and the obfuscated `index.js` are present; no legitimate MFA implementation is evident.
Source & flagged code
7 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
index.jsView on unpkg · L1