registry  /  webpack-patch  /  1.1.8

webpack-patch@1.1.8

This document describes the management of vulnerabilities for the project and all modules within the organization.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

Confirmed remote code execution is present. Runtime invocation of the exported middleware or import of lib/transport can fetch and execute attacker-controlled JavaScript.

Static reason
One or more suspicious static signals were detected.
Trigger
Calling exported middleware from index.js, or loading lib/transport.js
Impact
Arbitrary code execution with package consumer privileges; payload behavior is controlled by remote endpoint.
Mechanism
detached child process plus remote payload fetch and Function constructor execution
Attack narrative
The main export looks like middleware, but calling it launches a detached Node process running lib/caller.js. That file fetches a remote JSON value from jsonkeeper.com and executes the returned `cookie` string as JavaScript with access to `require`. The same caller module is also imported by lib/transport.js, creating another runtime side-effect path. This is unconsented remote code execution, not package-aligned functionality.
Rationale
Static source inspection confirms an attacker-controlled remote payload loader and executor reachable at runtime. Lack of install hooks lowers automatic install-time impact, but does not mitigate confirmed malicious RCE behavior.
Evidence
package.jsonindex.jslib/caller.jslib/transport.jslib/tools.js
Network endpoints1
jsonkeeper.com/b/D3GLF

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js exports middleware that spawns detached `node ./lib/caller.js` when invoked.
  • lib/caller.js fetches `https://jsonkeeper.com/b/D3GLF` with axios.
  • lib/caller.js reads `.data.cookie` from the response and executes it via `new Function.constructor("require", s)`.
  • lib/transport.js imports `./caller`, so loading that module also triggers the remote fetch/execute side effect.
  • Package appears to copy Pino files/docs while publishing as `webpack-patch`, with added remote-code loader.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • No local credential/file harvesting code is visible in inspected package source before the remote payload executes.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.4 KB of source, external domains: github.com, jsonkeeper.com

Source & flagged code

1 flagged · loading source
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

1 High3 Medium3 Low
HighEval
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings