AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious payload was found in package source. Residual risk is the install-time postinstall command invoking bunx config prepare outside the inspected package code.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
unresolved install-time behavior; no source-confirmed exfiltration or persistence
Mechanism
external bunx command during install
Attack narrative
On install, npm can run package.json postinstall, which invokes bunx config prepare. The inspected package source itself is a translations dataset with exported strings/functions and no credential, filesystem, shell, or network primitives, but the lifecycle command delegates behavior to tooling not included in this package.
Rationale
The source files look benign and package-aligned, but an install-time bunx command remains an unresolved execution surface because its implementation is not present in the package. This supports a warning rather than a publish block.
Evidence
package.jsonsrc/english.tssrc/japanese.tstypes/interfaces.d.tsreadme.md
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines install-time postinstall: bunx config prepare
- Lifecycle command delegates to an external bunx tool not present in package source
Evidence against
- Package contents are only package.json, readme/LICENSE, types, and src translation .ts files
- src/*.ts export translation objects and simple interpolation functions only
- No child_process, fs access, eval, dynamic require/import, env harvesting, or runtime network code found in src/types
- README and LICENSE links are documentation/package-aligned
Behavioral surface
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings