AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a user-invoked tmux/agent monitoring CLI with web UI, hooks, push notifications, and usage-cost integrations.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs vde-monitor CLI or explicitly installs/runs vde-monitor-hook via printed hook snippets.
Impact
Expected local state/token persistence and provider-aligned usage queries; no unconsented exfiltration or lifecycle mutation found.
Mechanism
local monitoring server, CLI helpers, and optional agent hook event logging
Rationale
Static inspection shows sensitive primitives are tied to documented monitoring, notification, pricing, and usage-dashboard features, with no lifecycle activation or hidden exfiltration. The scanner hints are explained by the bundled CLI/server and web syntax assets rather than concrete attack behavior.
Evidence
package.jsonREADME.mddist/index.jsdist/vde-monitor-hook.jsdist/web/assets/codeql-DsOJ9woJ.js~/.vde-monitor/token.json~/.vde-monitor/state.json~/.vde-monitor/push-vapid.json~/.vde-monitor/notifications.json~/.vde-monitor/events/<server-key>/claude.jsonl~/.vde-monitor/events/<server-key>/codex.jsonl~/.claude/.credentials.json~/.claude/projects/<encoded>/<session>.jsonl~/.codex/sessions
Network endpoints3
raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.jsonapi.anthropic.com/api/oauth/usageplatform.claude.com/v1/oauth/token
Decision evidence
public snapshotAI called this Clean at 89.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js can read Claude credentials from ~/.claude/.credentials.json and macOS keychain for usage dashboard features.
- dist/index.js uses fetch/web-push and execa/spawn for pricing, notifications, tmux/wezterm/vw/git/ps, and Claude OAuth usage.
- dist/vde-monitor-hook.js appends raw Claude/Codex hook payloads to ~/.vde-monitor/events after explicit hook invocation.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts; bins are user-invoked.
- README.md documents hooks, token/state files, push config, usage dashboard, and Claude/Codex integration paths.
- dist/index.js prints hook snippets for user paste; it does not write ~/.claude/settings.json or ~/.codex/hooks.json.
- Network endpoints are feature-aligned: LiteLLM pricing, Anthropic OAuth usage/refresh, web-push subscriptions.
- dist/web/assets/codeql-DsOJ9woJ.js dynamic require hit is bundled syntax-highlighting grammar data, not package control flow.
- No hidden downloader, obfuscated payload, destructive behavior, persistence, or unconsented AI-agent control-surface mutation found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/web/assets/codeql-DsOJ9woJ.jsView file
1const e=Object.freeze(JSON.parse('{"displayName":"CodeQL","fileTypes":["ql","qll"],"name":"codeql","patterns":[{"include":"#module-member"}],"repository":{"abstract":{"match":"\\\\...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/web/assets/codeql-DsOJ9woJ.jsView on unpkg · L1dist/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = vde-monitor@0.9.3
matchedIdentity = npm:dmRlLW1vbml0b3I:0.9.3
similarity = 0.975
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/index.jsView on unpkg10import webpush from "web-push";
L11: import { execa, execaSync } from "execa";
L12: import { spawn } from "node:child_process";
...
L21: import { streamSSE } from "hono/streaming";
L22: import { createServer } from "node:net";
L23: import { createInterface as createInterface$1 } from "node:readline/promises";
...
L578: if (path.extname(configPath).toLowerCase() === ".json") try {
L579: return JSON.parse(raw);
L580: } catch {
...
L767: const getTokenDir = () => {
L768: return path.join(os.homedir(), ".vde-monitor");
L769: };
Low
Findings
1 Critical4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
MediumDynamic Requiredist/web/assets/codeql-DsOJ9woJ.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings