AI Security Review
scanned 2h ago · by lpm-firewall-aiOn npm install, the package deploys its bundled platform-native UI binary to a per-user `msger/bin` path outside `node_modules`; runtime code subsequently spawns it. This is package-owned executable persistence for upgrade/taskbar behavior, not a confirmed malicious chain.
Decision evidence
public snapshot- `package.json` automatically runs `msger-native/builder/postinstall.js`.
- `postinstall.js` copies the bundled native executable into a per-user `msger/bin` directory, creates a stable hardlink/copy, and cleans stale package-named copies.
- `shower.js` launches that native executable through `spawn` when the library/CLI is invoked.
- The package ships platform-native ELF, PE, and Mach-O binaries plus a WebView2 profile/cache artifact.
- Inspected install source performs local package-binary copying only; it contains no network client, shell command, eval, or dynamic payload retrieval.
- Runtime network URLs are explicit caller-controlled `-url`/`-htmlfrom` WebView features, documented as trusted-content-only; no package-controlled endpoint was found.
- No credential harvesting, environment exfiltration, destructive file behavior, or AI-agent control-surface mutation was found in inspected JavaScript.
- The copied executable is directly aligned with the declared cross-platform message-box/WebView functionality.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage ships native binary artifacts.
msger-native/bin/msgernative-darwin-arm64View on unpkgPackage ships high-entropy non-source blobs.
msger-native/bin/msgernative.exe.WebView2/EBWebView/CertificateRevocation/6498.2025.9.4/crl-setView on unpkg