AI Security Review
scanned 2h ago · by lpm-firewall-aiRuntime middleware invocation spawns a detached background process. That process retrieves and executes attacker-controlled JavaScript from a remote endpoint.
Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Calling the default exported middleware factory from `index.js`.
Impact
Remote code execution in the installing application's user context, with Node `require` capability.
Mechanism
Detached child process performs remote payload download and dynamic execution.
Attack narrative
When a consumer invokes the package's exported middleware factory, `index.js` launches `lib/caller.js` as a detached Node process. The child immediately requests a fixed remote URL with a secret-style header, reads the response's `cookie` field, compiles it using the Function constructor, and invokes it with `require`. The endpoint therefore controls executable code in the consumer environment without a package update or user consent.
Rationale
The package implements a concrete remote payload loader and executes its response at runtime. Absence of install hooks does not mitigate this direct remote-code-execution chain.
Evidence
package.jsonindex.jslib/caller.js
Network endpoints1
json.extendsclass.com/bin/250fca079abb
OSV Corroboration
OpenSSF/OSVAdvisory
MAL-2026-10164
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-async (npm)
Details
The package presents itself as pino (typosquat; README mirrors pino). The main entry `index.js` exports a middleware factory that, on invocation, spawns `lib/caller.js` as a detached Node child process. `lib/caller.js` performs an HTTPS GET against a remote JSON pastebin (https://json.extendsclass.com/bin/250fca079abb), extracts the `.cookie` field of the response, and passes it to `new Function.constructor("require", s)`, then invokes the resulting function with the host's `require` binding — giving whoever controls the pastebin arbitrary code execution on the machine that loaded the package, with full Node module access. Alternate payload URLs on jsonkeeper.com (https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) are stored base64-encoded inside fake `process.env` objects in `lib/caller.js` and `lib/const.js` under a `DEV_API_KEY` key, obscuring the destination hosts from casual inspection. The fetched content is unpinned and mutable, the destinations are anonymous paste services unrelated to the package's advertised logging purpose, and the payload is executed with no integrity verification.
References
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` starts a detached Node child whenever exported middleware is invoked.
- `lib/caller.js` immediately fetches remote content from `https://json.extendsclass.com/bin/250fca079abb`.
- `lib/caller.js` extracts `data.cookie` and executes it with `new Function.constructor(...)(require)`.
- Remote code receives `require`, enabling arbitrary local module access under the consumer process.
Evidence against
- `package.json` has no npm lifecycle hooks.
- No package-owned file writes or AI-agent control-surface mutation were found in inspected source.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceindex.jsView file
•matchType = malicious_source_fingerprint_signature
signature = 2ad508fc9ea2882e
signatureType = suspicious_hashes
sourceLabel = final_verdict:malicious
matchedPackage = type-atob@3.3.7
matchedPath = index.js
matchedIdentity = npm:dHlwZS1hdG9i:3.3.7
similarity = 1.000
shingleOverlap = 12
summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgdocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
2 High3 Medium3 Low
HighEval
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings