AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious payload was found in package source. The remaining risk is an install-time lifecycle hook that invokes npm/npx to run a package formatter.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle
Impact
May execute externally resolved tooling and mutate the installed package.json, but no exfiltration or malicious code is present in reviewed package files.
Mechanism
install-time npx formatter invocation
Rationale
Static inspection found a questionable install hook, but the shipped source is a Lit web component and contains no concrete credential theft, exfiltration, remote payload loader, persistence, destructive action, or AI-agent control-surface mutation. Because postinstall invokes npx for a formatter during consumer install, downgrade to warning rather than mark malicious.
Evidence
package.jsonsrc/index.jssrc/BlockquoteTabs.jssrc/tab/BlockquoteTab.jssrc/tabpanel/BlockquoteTabPanel.jssrc/define/blockquote-tabs.jssrc/define/blockquote-tab.jssrc/define/blockquote-tabpanel.jssrc/styles/blockquote-tabs-styles.css.jssrc/tab/styles/blockquote-tab-styles.css.jssrc/tabpanel/styles/blockquote-tabpanel-styles.css.js
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: npm run sort:package
- sort:package runs npx sort-package-json at install time
- sort-package-json is not listed as a dependency, so npx may resolve externally during install
Evidence against
- src/index.js only re-exports component classes
- src/BlockquoteTabs.js implements Lit tab UI behavior with DOM events and ResizeObserver
- src/define/*.js only registers custom elements
- No credential/env harvesting, child_process use in source, eval/Function, or package-coded network endpoints found
- Style files only export Lit CSS
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present