AI Security Review
scanned 2h ago · by lpm-firewall-aiPostinstall fetches a platform-specific executable from the configured Bugsee GitHub release and extracts it inside the package. The wrapper executes that downloaded executable when the user invokes `bugsee-cli`.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers download; an explicit `bugsee-cli` command triggers execution.
Impact
A compromised or redirected release artifact could supply arbitrary native code for later CLI execution.
Mechanism
unverified remote binary bootstrapper
Rationale
The package's install-time remote binary download lacks source-level integrity verification, leaving a supply-chain execution path. Its endpoint and behavior otherwise match a CLI binary installer, so the evidence does not establish intentional malware.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-bugsee-cli.jsnode_modules/.bin_real
Network endpoints1
github.com/bugsee/bugsee-cli/releases/download/v0.7.3
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` runs `node ./install.js` on postinstall.
- `binary.js` builds a GitHub release URL from package metadata.
- `binary-install.js` downloads, extracts, and later executes the fetched platform binary.
- No checksum or signature verification is implemented for the downloaded artifact.
Evidence against
- Network target is package-aligned: Bugsee's configured GitHub release URL.
- Writes are limited to this package's `node_modules/.bin_real` and a temporary download.
- Environment reads only configure standard HTTP proxy routing.
- No credential harvesting, AI-agent config mutation, persistence outside the package, or source-level exfiltration found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License