AI Security Review
scanned 2h ago · by lpm-firewall-aiInstalling the package causes npm to retrieve an uninspected remote tarball dependency. No package-owned runtime attack code or lifecycle hook is present.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation or dependency resolution
Impact
The external archive can supply code outside the inspected package source.
Mechanism
Remote tarball dependency installation
Rationale
Source inspection confirms no direct malicious behavior, but the remote tarball dependency remains an unresolved executable supply-chain payload. Flag as suspicious rather than block because the archive's behavior is not established from this package source.
Evidence
package.jsonindex.js
Network endpoints1
ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.2.tgz
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` installs `ltidisafe` from an external tarball URL.
- The package source is otherwise inert, making the remote dependency the only executable supply-chain surface.
Evidence against
- `index.js` only exports an empty object.
- `package.json` defines no preinstall, install, postinstall, or prepare hook.
- No credential access, shell execution, persistence, or exfiltration exists in inspected package files.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Remote tarball dependency specs: ltidisafe@https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.2.tgz
Medium
Remote Tarball Dependency
Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkgFindings
1 Medium1 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present