registry  /  @bobfrankston/msger  /  0.1.389

@bobfrankston/msger@0.1.389

Fast, lightweight, cross-platform message box - Rust-powered alternative to msgview

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package installs and launches bundled native message-box/WebView executables. Its per-user binary copies are package-aligned runtime support, with no confirmed exfiltration or remote payload chain.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or an application/CLI call to show a message box
Impact
Creates package-owned user-bin executable copies and can render user-provided local or remote web content.
Mechanism
local native-binary provisioning and stdio-driven UI launch
Rationale
Static inspection shows a native cross-platform dialog/WebView package whose postinstall provisions bundled binaries outside node_modules to avoid locked-file upgrade issues. The persistence-like file operations are package-aligned and no concrete malicious behavior, remote payload execution, credential access, or exfiltration was found.
Evidence
package.jsonmsger-native/builder/postinstall.jsshower.jscli.jsindex.jsmsger-native/bin/msgernativemsger-native/bin/msgernative.exemsger-native/bin/msgernative-darwin-arm64msger-native/bin/msgernative-linux-aarch64

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `msger-native/builder/postinstall.js` copies bundled native executables into a per-user bin directory during `postinstall`.
  • `shower.js` provisions per-app executable copies/hardlinks and launches the native binary.
Evidence against
  • `package.json` lifecycle hook runs only the local `msger-native/builder/postinstall.js`; no download or network code appears there.
  • `postinstall.js` selects only packaged platform binaries, sets permissions, and removes its own stale copies.
  • `shower.js` invokes the selected local native UI binary with JSON over stdio; no credential harvesting or exfiltration is present.
  • Network-capable `-url`/`-htmlfrom` behavior is explicitly user-supplied CLI functionality, not install-time activity.
  • No AI-agent configuration writes, shell payloads, dynamic remote imports, or foreign control-surface mutation were found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 82.5 KB of source, external domains: example.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node msger-native/builder/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node msger-native/builder/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
msger-native/bin/msgernative-darwin-arm64View file
path = msger-native/bin/msgernative-darwin-arm64 kind = native_binary sizeBytes = 5650704 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

msger-native/bin/msgernative-darwin-arm64View on unpkg
msger-native/bin/msgernative.exe.WebView2/EBWebView/CertificateRevocation/6498.2025.9.4/crl-setView file
path = msger-native/bin/msgernative.exe.[redacted].2025.9.4/crl-set kind = high_entropy_blob sizeBytes = 23123 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

msger-native/bin/msgernative.exe.WebView2/EBWebView/CertificateRevocation/6498.2025.9.4/crl-setView on unpkg

Findings

2 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobmsger-native/bin/msgernative.exe.WebView2/EBWebView/CertificateRevocation/6498.2025.9.4/crl-set
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarymsger-native/bin/msgernative-darwin-arm64
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings