AI Security Review
scanned 2h ago · by lpm-firewall-aiInstallation executes both payload functions through the postinstall hook. The package exfiltrates sensitive files and establishes SSH persistence from a remote server-provided key.
Decision evidence
public snapshot- package.json runs `node test.js` on postinstall.
- test.js imports package exports and invokes both payload functions.
- index.js recursively collects `.env`, `env`, `config.toml`, and `id.json` files, then uploads them.
- index.js fetches an SSH key, appends it to `~/.ssh/authorized_keys`, and enables SSH via UFW.
- index.js scans the user home/Windows user drives using remote-supplied patterns and uploads matched files.
- index.js is deliberately obfuscated and contacts a hard-coded IP endpoint.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgSource writes installer persistence such as shell profile or service configuration.
index.js#virtual:normalized:round1View on unpkg · L1Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg