registry  /  @chojs23/concord  /  2.4.0

@chojs23/concord@2.4.0

A terminal user interface client for Discord

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time code fetches a platform binary from the package's GitHub release URL and extracts it locally without integrity verification. The installed CLI subsequently executes that fetched binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers `postinstall`; invoking `concord` executes the installed binary.
Impact
A compromised or replaced release artifact could run arbitrary native code when the CLI is invoked.
Mechanism
Unverified remote binary download, extraction, and later execution.
Rationale
The loader behavior is package-aligned but creates a concrete unverified remote-payload execution path. It is not sufficient evidence of intentional malware, so warn rather than block.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-concord.jsnode_modules/.bin_real
Network endpoints1
github.com/chojs23/concord/releases/download/v2.4.0

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall` running `install.js`.
  • `binary.js` builds a GitHub release URL from package metadata.
  • `binary-install.js` downloads archives during install and extracts them into `node_modules/.bin_real`.
  • No checksum, signature, or pinned artifact digest is verified before extraction.
  • `run-concord.js` later executes the extracted `concord` binary.
Evidence against
  • No credential, environment, home-directory, or secret-file harvesting found in package JavaScript.
  • No exfiltration endpoint beyond the package-aligned GitHub release URL.
  • No AI-agent configuration writes, stealth persistence, eval, or dynamic code loading found.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 4 file(s), 10.0 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License