registry  /  @anime.club/translations  /  1.1.167

@anime.club/translations@1.1.167

This repository contains all translations for the [Anime.club](https://anime.club) website 😉

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious payload was found in package source. Residual risk is the install-time postinstall command invoking bunx config prepare outside the inspected package code.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
unresolved install-time behavior; no source-confirmed exfiltration or persistence
Mechanism
external bunx command during install
Attack narrative
On install, npm can run package.json postinstall, which invokes bunx config prepare. The inspected package source itself is a translations dataset with exported strings/functions and no credential, filesystem, shell, or network primitives, but the lifecycle command delegates behavior to tooling not included in this package.
Rationale
The source files look benign and package-aligned, but an install-time bunx command remains an unresolved execution surface because its implementation is not present in the package. This supports a warning rather than a publish block.
Evidence
package.jsonsrc/english.tssrc/japanese.tstypes/interfaces.d.tsreadme.md

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines install-time postinstall: bunx config prepare
  • Lifecycle command delegates to an external bunx tool not present in package source
Evidence against
  • Package contents are only package.json, readme/LICENSE, types, and src translation .ts files
  • src/*.ts export translation objects and simple interpolation functions only
  • No child_process, fs access, eval, dynamic require/import, env harvesting, or runtime network code found in src/types
  • README and LICENSE links are documentation/package-aligned
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 490 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings