AI Security Review
scanned 8d ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package mutates AI assistant control-surface files in the consumer project at install time. This is activated by npm lifecycle execution and can steer IDE/agent behavior without a separate user opt-in.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install / postinstall lifecycle
Impact
Can influence Cursor/Windsurf/AI coding assistant behavior in consuming projects; no confirmed credential theft, data exfiltration, or destructive payload found.
Mechanism
install-time copy of AI assistant rule files
Policy narrative
On installation, scripts/postinstall.js copies package-supplied AI assistant instruction files from the package into the consuming project root when they do not already exist. Those files tell Cursor/Windsurf and other assistants to read and follow Lean IDS rules before generating code, creating an unconsented AI-agent control-surface mutation. Static inspection did not find exfiltration, payload download, shell execution, or destructive behavior.
Rationale
Source inspection confirms install-time writes of AI-agent rule files into the consumer project root. Even though the content is package-aligned and no traditional malware behavior was found, unconsented lifecycle mutation of AI-agent control files is a blocking behavior under the review boundary. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/postinstall.js.cursorrules.windsurfrulesAI_GUIDELINES.mdAI_READING_FLOW.mddist/index.jsdist/index.esm.jsAI_GUIDELINES_README.mdAI_SETUP_COMPLETE.md
Decision evidence
public snapshotAI called this Malicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json defines install lifecycle hook: postinstall runs scripts/postinstall.js
- scripts/postinstall.js resolves the consuming project root from node_modules and copies files there during install
- Copied files include AI-agent control/guidance files: .cursorrules, .windsurfrules, AI_GUIDELINES.md, AI_READING_FLOW.md
- AI rule files instruct assistants to read/follow package-provided rules before writing code and constrain library choices
Evidence against
- postinstall.js uses local fs/path copy operations only; no network, child_process, eval, or credential harvesting found
- Script does not overwrite existing destination files and catches copy errors
- dist/index.js and dist/index.esm.js appear to be bundled React UI components with React/styled-components/MUI/tokens imports
- No relevant runtime network endpoints found in executable package code
- AI guideline contents are mostly package usage/design-system guidance, not direct exfiltration or destructive instructions
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js || true
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings