AI Security Review
scanned 18h ago · by lpm-firewall-aiNo confirmed malicious source behavior is present in the package contents. Residual risk is an install-time postinstall command that delegates to bunx/config code not included in this package.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install
Impact
Unresolved install-time code execution risk; no source-grounded exfiltration or persistence observed.
Mechanism
ambiguous lifecycle command: bunx config prepare
Attack narrative
On installation, npm would run the package postinstall script `bunx config prepare`. The package itself otherwise appears to be static translation data, and inspection found no local malicious primitives or payloads. Because the lifecycle command delegates outside the inspected package files, it remains a warn-level unresolved install-time execution risk rather than a publish-block finding.
Rationale
Static inspection supports a translations package with no malicious payload in source, but the unneeded install-time `bunx config prepare` hook is unresolved external execution. Warn rather than block because no concrete attack behavior, exfiltration, persistence, or AI-agent control-surface mutation is present in package files.
Evidence
package.jsonsrc/english.tssrc/japanese.tstypes/interfaces.d.ts
Decision evidence
public snapshotAI called this Suspicious at 74.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json has install-time postinstall: bunx config prepare.
- The invoked config prepare implementation is not included in package files; only @10stars/config is listed as a devDependency.
Evidence against
- Package files are limited to package.json, readme/LICENSE, types, and src language files.
- src/*.ts only export translation objects and interpolation functions; no imports, fs, child_process, eval, fetch, or agent-control paths found.
- No bin/main/module/browser entrypoint is declared.
- No credential harvesting, persistence, destructive behavior, or package-owned network endpoint found in inspected source.
Behavioral surface
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings