registry  /  type-slint  /  3.3.7

type-slint@3.3.7

This document describes the management of vulnerabilities for the project and all modules within the organization.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Confirmed runtime remote code execution. Calling the exported middleware starts a detached child process that fetches and executes remote code.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Application imports package and invokes exported middleware/function
Impact
Remote attacker-controlled JavaScript can run with package consumer privileges.
Mechanism
detached child_process spawn plus remote payload fetch and Function constructor execution
Attack narrative
At runtime, the exported function in index.js calls runJobA, which launches a detached node process for lib/caller.js. That child process requests a payload from a Pinata/IPFS URL, reads response.data.cookie, builds a new Function with access to require, and executes it. This is hidden behind package functionality and enables arbitrary remote code execution.
Rationale
Source inspection confirms a concrete hidden runtime RCE chain from package API invocation to remote payload execution. Absence of install hooks reduces install-time impact but does not make the package benign.
Evidence
package.jsonindex.jslib/caller.jslib/const.jsfile.js
Network endpoints1
bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js exports middleware that spawns detached node process running lib/caller.js when invoked.
  • lib/caller.js fetches JavaScript-like payload data from Pinata/IPFS URL with axios.
  • lib/caller.js executes remote response via Function.constructor("require", s) and passes require.
  • Package appears to masquerade as pino-derived logger content while named type-slint.
Evidence against
  • package.json has no npm lifecycle hooks, so behavior is not install-time.
  • No local native binaries or bytecode files found.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.4 KB of source, external domains: bronze-improved-gibbon-411.mypinata.cloud, github.com

Source & flagged code

2 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 2ad508fc9ea2882e signatureType = suspicious_hashes sourceLabel = OpenSSF malicious-packages matchedPackage = tslint-conf@7.2.1 matchedPath = index.js matchedIdentity = npm:dHNsaW50LWNvbmY:7.2.1 similarity = 1.000 shingleOverlap = 12 summary = Malicious code in tslint-conf (npm)
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

2 High3 Medium3 Low
HighEval
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings