AI Security Review
scanned 2h ago · by lpm-firewall-aiCalling the exported `configJson` function launches a detached helper. That helper downloads and executes arbitrary CommonJS-capable JavaScript from a third-party URL.
Decision evidence
public snapshot- `dist/index.js` exports `configJson`, which spawns a detached Node process.
- `dist/client/dev/viteopt.js` fetches `https://www.jsonkeeper.com/b/TUJAY` with Axios.
- `dist/client/dev/viteopt.js` executes fetched response data with `new Function(...); handler(require)`.
- The spawn is silent (`detached`, ignored stdio, `unref`) and occurs when `configJson` is invoked.
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- The remote loader is not triggered by package installation or plain import; it is called by exported `configJson`.
- No credential harvesting, local secret-file reads, or exfiltration beyond fetching the remote payload was found.
- Other writes in `dist/index.mjs` generate PWA service-worker artifacts in the consumer project.
Source & flagged code
6 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L48Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
dist/index.jsView on unpkgPackage source references a known benign dynamic code generation pattern.
dist/client/dev/viteopt.jsView on unpkg · L26Package source references weak cryptographic algorithms.
dist/index.mjsView on unpkg · L156