AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious payload is present in package source. The residual risk is an install-time lifecycle hook invoking npx sort-package-json, which may execute tooling during npm install.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle
Impact
Potential install-time execution of sort-package-json tooling; no observed exfiltration, persistence, destructive behavior, or runtime attack code.
Mechanism
install-time npx formatter invocation
Rationale
The package is not confirmed malicious, but an install-time npx invocation is unnecessary for a published library and creates avoidable execution risk. Runtime source is benign and package-aligned, so this should warn rather than block.
Evidence
package.jsonsrc/index.jssrc/BlockquoteBaseMeta.js
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: npm run sort:package
- sort:package runs npx sort-package-json during install
- npx can execute/download tooling at install time if unavailable
Evidence against
- src/index.js only re-exports BlockquoteBaseMeta
- src/BlockquoteBaseMeta.js implements in-memory Map-backed metadata storage
- No child_process, fs, eval, dynamic import, credential access, or runtime network calls in src
- Only URLs found in source are documentation/comment links
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present