ai-node-agent @0.0.3
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2026-6517
Ecosystem
npm
Summary
All published JavaScript in dist/ (index.js, client.js, server.js, react.js, and sibling chunks) is heavily obfuscated using javascript-obfuscator (declared as a devDependency) with the hex-identifier and shuffled string-array dispatcher style. The package declares no preinstall/install/postinstall lifecycle hooks; no fetch-and-execute against remote hosts, no reads of installer-secret paths (~/.aws, ~/.ssh, ~/.npmrc, browser profiles), no enumeration of process.env, and no hardcoded credentials or attacker-controlled C2 endpoints were observed in the entry points reviewed. The 'ping/GET/id' keyword co-occurrence flagged in dist/server.js fires inside the obfuscated bundle and is not corroborated by any reachable exfiltration path in the files read. Obfuscation of the entire shipped surface makes the code unauditable and is a legitimate transparency concern for an 'ai-node-agent' library — reviewers should weigh maintainer trust before adopting — but on its own does not meet the threshold for a published block.
Source: amazon-inspector (2dcf100385d43e4bb2e48489a99d1fc2d4f919953963fa0339966bd5270f61b3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.