registry  /  @anime.club/translations  /  1.1.164

@anime.club/translations@1.1.164

This repository contains all translations for the [Anime.club](https://anime.club) website 😉

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malware behavior is present in package source, but install triggers an external bunx config command. The risk is unresolved because the executed implementation is outside the inspected package files.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
unverified install-time code execution in consumer environment
Mechanism
external install-time bunx command
Attack narrative
On install, npm runs package.json postinstall, which invokes bunx config prepare. The published source itself is translation data and types, but the lifecycle hook delegates execution to an external tool outside the package contents, leaving install-time behavior unresolved by static inspection of this package alone.
Rationale
Source inspection found benign translation modules and no local exfiltration, persistence, destructive, dynamic loading, or runtime attack code. The nonessential install-time bunx command creates a real unresolved install hook risk, so warn rather than block.
Evidence
package.jsonsrc/english.tssrc/*.tstypes/interfaces.d.ts

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines install-time postinstall: bunx config prepare
  • postinstall invokes an external bunx command not included in published files
Evidence against
  • Published package files are limited to src and types translation/type files
  • src/*.ts export static translation objects; no imports, fs, child_process, eval, or network APIs found
  • No package main/bin entrypoint and no runtime code beyond translations
  • Only URL seen is repository/readme anime.club/GitHub documentation
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 488 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings