registry  /  @bobfrankston/msger  /  0.1.391

@bobfrankston/msger@0.1.391

Fast, lightweight, cross-platform message box - Rust-powered alternative to msgview

AI Security Review

scanned 2h ago · by lpm-firewall-ai

On npm install, the package deploys its bundled platform-native UI binary to a per-user `msger/bin` path outside `node_modules`; runtime code subsequently spawns it. This is package-owned executable persistence for upgrade/taskbar behavior, not a confirmed malicious chain.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` runs `postinstall`; library or `msger` CLI use spawns the native UI binary.
Impact
Leaves a package-owned runnable binary outside `node_modules`; supplied URLs/HTML execute in the package's WebView and are explicitly not sandboxed.
Mechanism
per-user native binary provisioning and caller-supplied WebView rendering
Rationale
The package has a real install-time persistence-like capability: it deposits and later executes a native binary outside `node_modules`. Its inspected source is package-aligned and lacks a concrete malicious chain, so this warrants a non-blocking warning rather than a block.
Evidence
package.jsonmsger-native/builder/postinstall.jsshower.jscli.jsREADME.mdmsger-native/bin/msgernativemsger-native/bin/msgernative.exemsger-native/bin/msgernative-darwin-arm64msger-native/bin/msgernative-linux-aarch64

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` automatically runs `msger-native/builder/postinstall.js`.
  • `postinstall.js` copies the bundled native executable into a per-user `msger/bin` directory, creates a stable hardlink/copy, and cleans stale package-named copies.
  • `shower.js` launches that native executable through `spawn` when the library/CLI is invoked.
  • The package ships platform-native ELF, PE, and Mach-O binaries plus a WebView2 profile/cache artifact.
Evidence against
  • Inspected install source performs local package-binary copying only; it contains no network client, shell command, eval, or dynamic payload retrieval.
  • Runtime network URLs are explicit caller-controlled `-url`/`-htmlfrom` WebView features, documented as trusted-content-only; no package-controlled endpoint was found.
  • No credential harvesting, environment exfiltration, destructive file behavior, or AI-agent control-surface mutation was found in inspected JavaScript.
  • The copied executable is directly aligned with the declared cross-platform message-box/WebView functionality.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 82.5 KB of source, external domains: example.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node msger-native/builder/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node msger-native/builder/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
msger-native/bin/msgernative-darwin-arm64View file
path = msger-native/bin/msgernative-darwin-arm64 kind = native_binary sizeBytes = 5650704 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

msger-native/bin/msgernative-darwin-arm64View on unpkg
msger-native/bin/msgernative.exe.WebView2/EBWebView/CertificateRevocation/6498.2025.9.4/crl-setView file
path = msger-native/bin/msgernative.exe.[redacted].2025.9.4/crl-set kind = high_entropy_blob sizeBytes = 23123 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

msger-native/bin/msgernative.exe.WebView2/EBWebView/CertificateRevocation/6498.2025.9.4/crl-setView on unpkg

Findings

2 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobmsger-native/bin/msgernative.exe.WebView2/EBWebView/CertificateRevocation/6498.2025.9.4/crl-set
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarymsger-native/bin/msgernative-darwin-arm64
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings