# flexmonster@2.9.124 — Threat Briefing

Critical risk — threat briefing for npm package flexmonster@2.9.124. Capabilities, risk paths, and what to check.

- **Ecosystem:** npm
- **Latest version:** 2.9.130
- **License:** https://www.flexmonster.com/software-license-agreement/

## Risk

- **Level:** critical
- **Summary:** Dynamic code evaluation with network access — potential code injection or exfiltration

## Capability Summary

| Capability | Level |
|---|---|
| install scripts | none |
| network access | client |
| filesystem | write |
| shell execution | none |

## Capabilities

### Other

- Long encoded payload [common]
- new Function() constructor [common]
- Invisible Unicode in source [common]
- Network stdlib call (info-only) [common]
- External vendor / cloud integration [common]
- Manifest version disagrees with bundled artifact [common]
- Unexpected native binary in source [common]

### Execution

- Dynamic code execution (eval) [unusual]

### Filesystem

- Filesystem write [common]

### Network

- Network client [common]

## Key Signals

- ****
- ****
- ****

## Maintainer


## Recommended Action

Do not install. Review immediately if already in use.