AI Security Review
scanned 2h ago · by lpm-firewall-aiThe npm package is a thin launcher that installs a Python package named utim-cli at install time or first run. This is a real lifecycle download/execute surface, but the inspected npm source does not show concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; running utim triggers first-run installer and launcher
Impact
Installs and executes external Python package code outside this npm tarball; no confirmed exfiltration, persistence, or agent control hijack in inspected source
Mechanism
lifecycle and CLI pip installation of package-aligned Python engine
Attack narrative
On npm install, scripts/postinstall.js looks for Python, chmods bin/utim.js on Unix, and silently runs pip install --upgrade --quiet utim-cli. If that prewarm does not happen or fails, bin/utim.js repeats pip installation on first utim execution and then launches python -m utim_cli.utim. The npm source itself contains no credential collection, obfuscation, destructive action, or foreign AI-agent control-surface writes.
Rationale
The package has unresolved supply-chain risk because it downloads and installs a separate PyPI engine from an npm lifecycle hook, but the behavior is clearly package-aligned and no concrete malicious attack behavior is present in the inspected source. Warn rather than block.
Evidence
package.jsonscripts/postinstall.jsbin/utim.jsREADME.mdPython site-packages via pip install utim-cli
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node scripts/postinstall.js
- scripts/postinstall.js runs python -m pip install --upgrade --quiet utim-cli during npm install
- bin/utim.js auto-installs/upgrades utim-cli with pip on first CLI run if missing
- bin/utim.js launches python -m utim_cli.utim and forwards user args
Evidence against
- No code writes Claude/Codex/Cursor/MCP control-surface files in the npm package
- No credential harvesting, secret file reads, or exfiltration logic found
- No eval/vm/Function or obfuscated payloads found
- Network behavior is package-aligned dependency installation rather than hardcoded exfil endpoint
- postinstall failures are swallowed and do not persist daemons or hooks
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings