AI Security Review
scanned 4d ago · by lpm-firewall-aiThe only unresolved attack surface is install-time execution through a postinstall script. The shipped source otherwise appears to be translation data and type declarations.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or compatible package installation lifecycle
Impact
Runs external tooling during install; no package-local malicious payload confirmed by source inspection.
Mechanism
postinstall invokes bunx config prepare
Attack narrative
On installation, the package manager can run package.json postinstall, which invokes bunx with config prepare. The package-local source does not contain exfiltration or destructive logic, but the lifecycle script hands execution to external tooling not included in the package source, leaving install-time behavior unresolved.
Rationale
Static inspection found no malicious code in the translation files, but an install lifecycle script that executes external tooling is real unresolved install-time risk for a data-only translations package. This warrants warning rather than blocking because no concrete malicious payload or exfiltration behavior is present in the inspected package files.
Evidence
package.jsonsrc/english.tssrc/*.tstypes/interfaces.d.ts
Decision evidence
public snapshotAI called this Suspicious at 72.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines install-time postinstall: bunx config prepare
- postinstall delegates execution to bunx/config rather than translation source code
- No package-local implementation of the install command is present to inspect
Evidence against
- src/*.ts are static exported translation objects with simple interpolation callbacks
- types/interfaces.d.ts only imports the English type shape
- No source references to fs, child_process, eval, fetch, process.env, credential harvesting, or persistence
- No package-local network endpoints beyond README/repository links
Behavioral surface
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings