AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malware behavior is present in package source, but install triggers an external bunx config command. The risk is unresolved because the executed implementation is outside the inspected package files.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
unverified install-time code execution in consumer environment
Mechanism
external install-time bunx command
Attack narrative
On install, npm runs package.json postinstall, which invokes bunx config prepare. The published source itself is translation data and types, but the lifecycle hook delegates execution to an external tool outside the package contents, leaving install-time behavior unresolved by static inspection of this package alone.
Rationale
Source inspection found benign translation modules and no local exfiltration, persistence, destructive, dynamic loading, or runtime attack code. The nonessential install-time bunx command creates a real unresolved install hook risk, so warn rather than block.
Evidence
package.jsonsrc/english.tssrc/*.tstypes/interfaces.d.ts
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines install-time postinstall: bunx config prepare
- postinstall invokes an external bunx command not included in published files
Evidence against
- Published package files are limited to src and types translation/type files
- src/*.ts export static translation objects; no imports, fs, child_process, eval, or network APIs found
- No package main/bin entrypoint and no runtime code beyond translations
- Only URL seen is repository/readme anime.club/GitHub documentation
Behavioral surface
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings