registry  /  @anime.club/translations  /  1.1.166

@anime.club/translations@1.1.166

This repository contains all translations for the [Anime.club](https://anime.club) website 😉

AI Security Review

scanned 2d ago · by lpm-firewall-ai

A real install-time hook exists, but no malicious payload is present in the shipped source. The unresolved risk is the automatic bunx command during dependency installation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm/bun package install lifecycle postinstall
Impact
Could execute tooling outside the package source during install; no source-confirmed exfiltration or destructive behavior found.
Mechanism
install-time external runner command
Attack narrative
On installation, package.json runs `bunx config prepare`. The package itself only ships translation TypeScript objects and a type declaration, with no local executable payload or runtime entrypoint, but the lifecycle command delegates execution to external tooling that is not inspectable from this package source.
Rationale
Static inspection does not confirm malware in the package source, but the automatic postinstall external runner is a concrete unresolved install-time risk for a translations package. Treat as warn rather than publish block because no credential access, exfiltration, destructive action, or packaged payload was found.
Evidence
package.jsonsrc/english.tssrc/vietnamese.tstypes/interfaces.d.tsreadme.md

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines install-time postinstall: bunx config prepare
  • postinstall invokes an external package runner command rather than code shipped in src/types
  • No local config script or bin target is present in the package files to inspect
Evidence against
  • Package contents are translation data files under src/*.ts plus types/interfaces.d.ts
  • rg found no child_process, fs reads/writes, eval/vm/Function, credential harvesting, or network code in shipped source
  • No main/module/browser/bin entrypoint is declared
  • README describes a translations repository and source files match that purpose
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 490 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings