registry  /  @apex-stack/core  /  0.8.0

@apex-stack/core@0.8.0

The full-stack meta-framework for Alpine.js — CLI and runtime

AI Security Review

scanned 5d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package has a guarded first-party editor extension install path from explicit apex CLI commands, plus normal scaffold dependency installation and self-update behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs apex new or apex upgrade, optionally with --vscode or accepting/defaulting the extension prompt
Impact
May install a bundled first-party .alpine syntax VSIX into code/cursor/windsurf/codium; no evidence of code execution inside the VSIX or data theft.
Mechanism
User-invoked editor extension installation and scaffold/package-manager commands
Rationale
Static inspection found guarded, user-invoked editor extension installation and package-manager operations, but no npm lifecycle mutation, exfiltration, hidden payload execution, or malicious VSIX code. Per policy this merits warn rather than publish block.
Evidence
package.jsondist/cli.jsdist/chunk-TWAGSGFN.jsdist/upgrade-YZN6TVNI.jsdist/mcp-CH7L4GF3.jsvscode/apex-alpine.vsixtemplates/defaulttarget project package.json
Network endpoints4
localhost:3000/mcpapexjs.sitegithub.com/andrecorugda/apexjsgithub.com/andrecorugda/apexjs/issues

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/chunk-TWAGSGFN.js installs bundled vscode/apex-alpine.vsix via detected editor CLI with --install-extension --force
  • dist/cli.js calls offerExtension after apex new; dist/upgrade-YZN6TVNI.js calls it after apex upgrade
  • dist/upgrade-YZN6TVNI.js can run npm view and npm install -g @apex-stack/core@latest when user accepts self-update
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • VSIX contents are package-aligned syntax highlighting files; extension/package.json has no activationEvents or main executable
  • child_process use is user-invoked CLI scaffolding: git init, package manager install, editor open/install
  • No credential harvesting, destructive logic, broad agent config writes, or exfiltration endpoints found
  • Network use is local MCP URL/default localhost and npm registry self-update/package install behavior
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 111 KB of source

Source & flagged code

8 flagged · loading source
dist/chunk-TWAGSGFN.jsView file
1// src/vscode.ts L2: import { spawnSync } from "child_process"; L3: import { existsSync, readFileSync } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-TWAGSGFN.jsView on unpkg · L1
dist/upgrade-YZN6TVNI.jsView file
46} L47: async function maybeSelfUpdate(reexecArgv, choice) { L48: if (choice === false) return false;
High
Shell

Package source references shell execution.

dist/upgrade-YZN6TVNI.jsView on unpkg · L46
44function installGlobalLatest() { L45: return spawnSync("npm", ["install", "-g", `${PKG}@latest`], { stdio: "inherit", shell: WIN }).status === 0; L46: } ... L58: if (!yes) { L59: log(` ${color.gray("Skipped. Update later with")} ${color.cyan(`npm i -g ${PKG}@latest`)} L60: `);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/upgrade-YZN6TVNI.jsView on unpkg · L44
dist/build-WKK4BCQI.jsView file
30try { L31: const req = createRequire(join(root, "package.json")); L32: const mod = await import(pathToFileURL(req.resolve("@tailwindcss/vite")).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/build-WKK4BCQI.jsView on unpkg · L30
vscode/apex-alpine.vsixView file
path = vscode/apex-alpine.vsix kind = high_entropy_blob sizeBytes = 33222 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

vscode/apex-alpine.vsixView on unpkg
path = vscode/apex-alpine.vsix kind = compressed_blob sizeBytes = 33222 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

vscode/apex-alpine.vsixView on unpkg
path = vscode/apex-alpine.vsix kind = nested_archive_needs_inspection sizeBytes = 33222 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

vscode/apex-alpine.vsixView on unpkg
dist/server-UVY6DFK2.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @apex-stack/core@0.7.8 matchedIdentity = npm:QGFwZXgtc3RhY2svY29yZQ:0.7.8 similarity = 0.821 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server-UVY6DFK2.jsView on unpkg

Findings

1 Critical4 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/server-UVY6DFK2.js
HighChild Processdist/chunk-TWAGSGFN.js
HighShelldist/upgrade-YZN6TVNI.js
HighRuntime Package Installdist/upgrade-YZN6TVNI.js
HighShips High Entropy Blobvscode/apex-alpine.vsix
MediumDynamic Requiredist/build-WKK4BCQI.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobvscode/apex-alpine.vsix
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNested Archive Needs Inspectionvscode/apex-alpine.vsix