AI Security Review
scanned 4h ago · by lpm-firewall-aiConfirmed runtime remote code execution. Calling the exported middleware starts a detached child process that fetches and executes remote code.
Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Application imports package and invokes exported middleware/function
Impact
Remote attacker-controlled JavaScript can run with package consumer privileges.
Mechanism
detached child_process spawn plus remote payload fetch and Function constructor execution
Attack narrative
At runtime, the exported function in index.js calls runJobA, which launches a detached node process for lib/caller.js. That child process requests a payload from a Pinata/IPFS URL, reads response.data.cookie, builds a new Function with access to require, and executes it. This is hidden behind package functionality and enables arbitrary remote code execution.
Rationale
Source inspection confirms a concrete hidden runtime RCE chain from package API invocation to remote payload execution. Absence of install hooks reduces install-time impact but does not make the package benign.
Evidence
package.jsonindex.jslib/caller.jslib/const.jsfile.js
Network endpoints1
bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu
Decision evidence
public snapshotAI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
- index.js exports middleware that spawns detached node process running lib/caller.js when invoked.
- lib/caller.js fetches JavaScript-like payload data from Pinata/IPFS URL with axios.
- lib/caller.js executes remote response via Function.constructor("require", s) and passes require.
- Package appears to masquerade as pino-derived logger content while named type-slint.
Evidence against
- package.json has no npm lifecycle hooks, so behavior is not install-time.
- No local native binaries or bytecode files found.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceindex.jsView file
•matchType = malicious_source_fingerprint_signature
signature = 2ad508fc9ea2882e
signatureType = suspicious_hashes
sourceLabel = OpenSSF malicious-packages
matchedPackage = tslint-conf@7.2.1
matchedPath = index.js
matchedIdentity = npm:dHNsaW50LWNvbmY:7.2.1
similarity = 1.000
shingleOverlap = 12
summary = Malicious code in tslint-conf (npm)
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgdocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
2 High3 Medium3 Low
HighEval
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings