registry  /  @bugsee/bugsee-cli  /  0.3.0

@bugsee/bugsee-cli@0.3.0

Bugsee CLI — cross-platform symbol collection, conversion, and upload.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Installation downloads and extracts a platform-specific executable from GitHub into the package directory. A later explicit `bugsee-cli` invocation executes that downloaded executable. No malicious behavior is established in the JavaScript wrapper itself.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall downloads the artifact; explicit `bugsee-cli` execution runs it.
Impact
A compromised release or redirected artifact could execute with the invoking user's privileges.
Mechanism
remote binary download, extraction, and deferred execution without integrity verification
Rationale
This is a package-aligned binary installer rather than confirmed malware, but its unverified install-time remote payload staging is a real unresolved supply-chain risk.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-bugsee-cli.jsnode_modules/.bin_real
Network endpoints1
github.com/bugsee/bugsee-cli/releases/download/v0.3.0

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall` via `install.js`.
  • `binary.js` constructs a release URL from package metadata.
  • `binary-install.js` downloads and extracts a platform binary without checksum/signature verification.
  • `run-bugsee-cli.js` later executes the extracted binary.
Evidence against
  • Release base URL is fixed to the package-aligned GitHub project.
  • Source contains no credential harvesting or exfiltration logic.
  • Filesystem removal is limited to its own `node_modules/.bin_real` directory.
  • No AI-agent configuration, persistence, eval, or import-time binary execution found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License