registry  /  @bugsee/bugsee-cli  /  0.7.3

@bugsee/bugsee-cli@0.7.3

Bugsee CLI — cross-platform symbol collection, conversion, and upload.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Postinstall fetches a platform-specific executable from the configured Bugsee GitHub release and extracts it inside the package. The wrapper executes that downloaded executable when the user invokes `bugsee-cli`.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers download; an explicit `bugsee-cli` command triggers execution.
Impact
A compromised or redirected release artifact could supply arbitrary native code for later CLI execution.
Mechanism
unverified remote binary bootstrapper
Rationale
The package's install-time remote binary download lacks source-level integrity verification, leaving a supply-chain execution path. Its endpoint and behavior otherwise match a CLI binary installer, so the evidence does not establish intentional malware.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-bugsee-cli.jsnode_modules/.bin_real
Network endpoints1
github.com/bugsee/bugsee-cli/releases/download/v0.7.3

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node ./install.js` on postinstall.
  • `binary.js` builds a GitHub release URL from package metadata.
  • `binary-install.js` downloads, extracts, and later executes the fetched platform binary.
  • No checksum or signature verification is implemented for the downloaded artifact.
Evidence against
  • Network target is package-aligned: Bugsee's configured GitHub release URL.
  • Writes are limited to this package's `node_modules/.bin_real` and a temporary download.
  • Environment reads only configure standard HTTP proxy routing.
  • No credential harvesting, AI-agent config mutation, persistence outside the package, or source-level exfiltration found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License