This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Malicious package due to suspicious preinstall script, runtime dependency resolution in .node file, and missing source project information.
The package exhibits several suspicious behaviors that, when combined, strongly suggest malicious intent.
Evidence 0 & 1: Suspicious preinstall script: The package.json includes a preinstall script that executes node preinstall.js. This is a common technique used by malicious packages to execute arbitrary code during installation. The fact that this script exists warrants further investigation of preinstall.js's contents. The LLM-based analysis also flags this as suspicious, further increasing concern.
Evidence 2: Suspicious runtime dependency resolution: The YARA rule sus_dylib_tls_get_addr matched in package/src/index_linux.node indicates suspicious runtime dependency resolution. The presence of __tls_get_addr suggests the potential for dynamic loading of libraries, which can be used to hide malicious code or bypass security measures. This is particularly concerning in a .node file, which is a compiled binary.
Evidence 3: Missing source project information: The absence of source project information makes it difficult to assess the package's trustworthiness. While not inherently malicious, it contributes to the overall suspicion, as it could be an attempt to obscure the package's origin.
While any single one of these findings might not be conclusive, the combination of a preinstall script running arbitrary code, a suspicious .node file with runtime dependency resolution, and the lack of source project information paints a picture of a package that is likely malicious. The preinstall script is a particularly strong indicator, as it allows for immediate execution of code upon installation, making it a prime target for malicious actors.