AI Security Review
scanned 14h ago · by lpm-firewall-aiThe package uses a postinstall downloader to fetch a platform-specific executable, then exposes a CLI wrapper that runs it on user invocation. This is unresolved binary supply-chain risk, but source inspection did not show malicious install-time execution or exfiltration.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user running apex invokes the binary
Impact
Downloaded executable can perform arbitrary actions when invoked, but reviewed JS does not execute it during install
Mechanism
postinstall binary download plus CLI spawn wrapper
Rationale
The package is not proven malicious from source inspection, but postinstall retrieval of an opaque executable creates real unresolved supply-chain risk. The risk supports a warning rather than a publish block because the downloader is package-aligned and no concrete attack behavior was found.
Evidence
package.jsoninstall.jsapex.jsREADME.mdbin/apexbin/apex.exe
Network endpoints1
github.com/Apex-Foundation/copilot/releases/download/v1.0.1/apex-{linux-x64|darwin-arm64|darwin-x64|windows-x64}
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node install.js.
- install.js downloads a platform binary from GitHub releases into ./bin/apex or ./bin/apex.exe and chmods it executable.
- apex.js spawns the package-local binary with inherited stdio and process.env when the user runs apex.
Evidence against
- No preinstall/install-time execution of the downloaded binary; install.js only downloads and chmods it.
- No credential harvesting, broad filesystem reads, exfiltration logic, or AI-agent config/control-surface writes found in published files.
- Only package files present are package.json, install.js, apex.js, and README.md.
- Network endpoint is a package-aligned GitHub release URL for Apex-Foundation/copilot.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings