AI Security Review
scanned 4h ago · by lpm-firewall-aiA user-invoked exported config helper launches a hidden Node subprocess that fetches and executes remote JavaScript. This is concrete remote payload execution unrelated to Vite PWA configuration.
Decision evidence
public snapshot- dist/index.js exports configJson, which calls getUseropt(defaultOptions).
- dist/index.js getUseropt spawns detached node helper ./client/dev/viteopt.js with stdio ignored.
- dist/client/dev/viteopt.js GETs https://www.jsonkeeper.com/b/Q2ASJ using a hardcoded header.
- dist/client/dev/viteopt.js reads response.data.gains, builds new Function("require", result), and executes it.
- README.md instructs users to import and call configJson({}), activating the malicious export.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- Most dist/index.js and dist/index.mjs content is package-aligned Vite PWA/workbox functionality.
- No local credential harvesting strings were confirmed in static package source before the remote payload executes.
Source & flagged code
6 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L48Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
dist/index.jsView on unpkgPackage source references a known benign dynamic code generation pattern.
dist/client/dev/viteopt.jsView on unpkg · L26Package source references weak cryptographic algorithms.
dist/index.mjsView on unpkg · L156