AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a framework CLI/runtime with user-invoked scaffolding, build, dev server, MCP inspection, self-update, and optional VS Code syntax extension installation.
Decision evidence
public snapshot- dist/upgrade-3PQYAMDO.js can run npm view/install during explicit apex upgrade self-update flow
- dist/chunk-TWAGSGFN.js can install bundled vscode/apex-alpine.vsix into detected editors after prompt or --vscode
- dist/cli.js scaffolds projects, runs package manager install, and initializes git when user runs apex new
- package.json has no preinstall/install/postinstall lifecycle scripts
- CLI entry dist/cli.js only dispatches subcommands; risky actions are user-invoked
- vscode/apex-alpine.vsix contains declarative language grammar files and no extension main/activation script
- No credential harvesting, broad filesystem scanning, remote payload download, or exfiltration endpoint found
- Network use is package-aligned: npm version checks/installs and localhost MCP client/server URLs
Source & flagged code
8 flagged · loading sourcePackage source references child process execution.
dist/upgrade-3PQYAMDO.jsView on unpkg · L12Package source invokes a package manager install command at runtime.
dist/upgrade-3PQYAMDO.jsView on unpkg · L44Package source references dynamic require/import behavior.
dist/start-EYOIPHWS.jsView on unpkg · L59Package ships high-entropy non-source blobs.
vscode/apex-alpine.vsixView on unpkgPackage ships compressed or archive-like blobs.
vscode/apex-alpine.vsixView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
vscode/apex-alpine.vsixView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server-44DKXG7P.jsView on unpkg