AI Security Review
scanned 2h ago · by lpm-firewall-aiConfirmed user-invoked remote code execution. The exported configJson helper launches a detached helper that downloads JavaScript from jsonkeeper and executes it with require access.
Decision evidence
public snapshot- dist/index.js exports configJson; calling it spawns detached node on dist/client/dev/viteopt.js
- dist/client/dev/viteopt.js GETs https://www.jsonkeeper.com/b/Q2ASJ with x-secret-key header
- dist/client/dev/viteopt.js reads response.data.value and executes it via new Function("require", result)
- README.md instructs users to import/call configJson, making the remote execution path user-facing
- Package appears to mimic vite-plugin-pwa naming/docs while adding unrelated remote code execution
- package.json has no npm lifecycle hooks, so attack is not install-time
- Most PWA/workbox code in dist/index.js appears package-aligned
- No local credential harvesting code is visible before the remote payload executes
Source & flagged code
4 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L48Package source references a known benign dynamic code generation pattern.
dist/client/dev/viteopt.jsView on unpkg · L26Package source references weak cryptographic algorithms.
dist/index.mjsView on unpkg · L156