AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious payload was found in source. The unresolved risk is an unnecessary install-time hook invoking npx for package sorting.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle
Impact
Executes an external CLI during install and may mutate package.json formatting; no exfiltration or persistence observed
Mechanism
install-time npx sort-package-json command
Rationale
The package is not malicious by source behavior, but an install-time npx command creates real supply-chain risk that is not needed for a published runtime package. Mark as suspicious/warn rather than block because there is no concrete malicious payload or hostile endpoint in the package source.
Evidence
package.jsonsrc/index.jssrc/BlockquoteControllerContextMeta.jssrc/BaseContextMetaElement.jssrc/directives/context-meta-provider.jssrc/directives/cache-context-meta-provider.js
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: npm run sort:package
- sort:package runs npx sort-package-json, an unpinned install-time command not declared in dependencies
- postinstall can execute during npm install and may rewrite package.json formatting
Evidence against
- src/index.js only re-exports package modules
- src/BlockquoteControllerContextMeta.js uses Lit @lit/context provider/consumer APIs only
- src/BaseContextMetaElement.js only defines a Lit element and role attribute default
- src/directives/*.js only cache and apply context providers with WeakMap/Map
- No credential harvesting, shell commands, eval, destructive filesystem calls, or package-authored network endpoints found
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present