AI Security Review
scanned 2d ago · by lpm-firewall-aiA real install-time hook exists, but no malicious payload is present in the shipped source. The unresolved risk is the automatic bunx command during dependency installation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm/bun package install lifecycle postinstall
Impact
Could execute tooling outside the package source during install; no source-confirmed exfiltration or destructive behavior found.
Mechanism
install-time external runner command
Attack narrative
On installation, package.json runs `bunx config prepare`. The package itself only ships translation TypeScript objects and a type declaration, with no local executable payload or runtime entrypoint, but the lifecycle command delegates execution to external tooling that is not inspectable from this package source.
Rationale
Static inspection does not confirm malware in the package source, but the automatic postinstall external runner is a concrete unresolved install-time risk for a translations package. Treat as warn rather than publish block because no credential access, exfiltration, destructive action, or packaged payload was found.
Evidence
package.jsonsrc/english.tssrc/vietnamese.tstypes/interfaces.d.tsreadme.md
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines install-time postinstall: bunx config prepare
- postinstall invokes an external package runner command rather than code shipped in src/types
- No local config script or bin target is present in the package files to inspect
Evidence against
- Package contents are translation data files under src/*.ts plus types/interfaces.d.ts
- rg found no child_process, fs reads/writes, eval/vm/Function, credential harvesting, or network code in shipped source
- No main/module/browser/bin entrypoint is declared
- README describes a translations repository and source files match that purpose
Behavioral surface
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings