AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Installation mutates a consuming project's root-level AI-agent configuration. It creates Cursor and Windsurf rule files plus package-authored instruction documents without an explicit user command.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install
Impact
Unconsented control of broad AI coding-assistant behavior in the consuming project.
Mechanism
postinstall copies AI-agent rules into the consumer project root
Policy narrative
On installation, the package's postinstall script calculates the consuming project root and copies package-controlled `.cursorrules` and `.windsurfrules` there if they do not already exist. These files instruct multiple AI coding assistants to follow the package's mandatory usage rules. This is an unconsented install-time mutation of a foreign, broad AI-agent control surface; accompanying AI documentation reinforces the injected guidance.
Rationale
The lifecycle hook concretely writes AI-agent rule files into the consumer project during `npm install`. The non-overwrite guard and lack of network activity do not remove the unconsented control-surface mutation.
Evidence
package.jsonscripts/postinstall.cjs.cursorrules.windsurfrulesAI_GUIDELINES.mdAI_READING_FLOW.mdAI_GUIDELINES_README.mdAI_SETUP_COMPLETE.md
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- `package.json` runs `node scripts/postinstall.cjs || true` during installation.
- `scripts/postinstall.cjs` resolves the consuming project root from its `node_modules` location.
- The install hook copies `.cursorrules` and `.windsurfrules` into that project root when absent.
- Those copied files direct AI coding assistants to follow package-controlled rules and library preferences.
- The hook also drops linked AI instruction documents into the consumer project without user invocation.
Evidence against
- The hook avoids overwriting existing destination files.
- Inspected `dist/index.js` is a React component bundle; no confirmed network or shell execution was found.
- No credential harvesting or external endpoint use was found in the inspected lifecycle source.
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.cjs || true
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.cjs || true
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings