AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is a thin npm wrapper that fetches a native aramb binary during postinstall. The packaged JS does not show malicious behavior, but the effective CLI payload is a remote executable not present for source inspection.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes aramb CLI
Impact
Unverified native binary becomes executable package code; no confirmed malicious behavior in inspected source
Mechanism
install-time remote binary download and user-invoked child process wrapper
Rationale
This is not enough for a malicious block because the visible source performs package-aligned binary installation and user-invoked execution only. It should be warned as a staged payload carrier because install-time code fetches an executable payload that cannot be statically reviewed from the package contents.
Evidence
package.jsonnpm/install.jsnpm/bin/aramb.jsREADME.mdbin/arambbin/aramb.exe
Network endpoints2
github.com/aramb-ai/release-beta/releases/download/${version}/${asset}github.com/aramb-ai/release-beta/releases
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node npm/install.js
- npm/install.js downloads a platform executable from GitHub releases at install time
- npm/install.js writes package-local bin/aramb or bin/aramb.exe and chmods it executable
- npm/bin/aramb.js later spawnSyncs the downloaded binary with user CLI args
Evidence against
- No source evidence of credential harvesting, env enumeration beyond ARAMB_VERSION, or exfiltration in packaged JS
- Network URL is package-aligned GitHub release repo, not an unrelated host
- No AI-agent config writes, persistence setup, destructive file operations, eval/vm, or broad filesystem scanning found
- Downloaded binary is not executed during postinstall; execution requires invoking aramb CLI
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node npm/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node npm/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings