registry  /  @apexfdn/apex  /  1.0.8

@apexfdn/apex@1.0.8

Coding agent CLI with read, bash, edit, write tools and session management

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install runs a downloader that retrieves a native CLI binary from GitHub releases and stores it under the package bin directory. The binary is then executed only when the user invokes the apex command, but its contents are not inspectable from the package source.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall downloads binary; user invoking apex executes it
Impact
Unverified remote executable can run with user environment on CLI invocation; no confirmed malicious behavior in package source
Mechanism
remote native binary download and CLI wrapper execution
Rationale
Static inspection confirms a postinstall remote native binary download without integrity verification, but no concrete source-level malicious behavior such as credential theft, destructive actions, persistence, or install-time execution of the payload. Treat as suspicious due to unresolved binary payload risk rather than block as confirmed malware.
Evidence
package.jsoninstall.cjsapex.cjsREADME.mdbin/apexbin/apex.exe
Network endpoints1
github.com/Apex-Foundation/copilot/releases/download/v1.0.0/apex-${target}

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node install.cjs
  • install.cjs downloads a platform executable from GitHub releases without checksum/signature verification
  • install.cjs writes to bin/apex or bin/apex.exe and chmods it executable
  • apex.cjs bin wrapper spawnSyncs the downloaded executable with inherited stdio/env
  • README/package metadata reference oh-my-pi/can1357 while installer fetches Apex-Foundation/copilot
Evidence against
  • No source shows credential harvesting, destructive filesystem actions, or persistence
  • No install-time execution of the downloaded binary was found
  • Network use is limited to GitHub release download in inspected source
  • bin/apex in the package is an empty placeholder
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.56 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @apexfdn/apex@1.0.5 matchedIdentity = npm:QGFwZXhmZG4vYXBleA:1.0.5 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

install.cjsView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltainstall.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings