AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a bundled Evercam API client; the lifecycle hook appears to be a broken monorepo bootstrap check rather than a packaged payload.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install for lifecycle hook; runtime import/use for API requests
Impact
runtime requests to caller-configured Evercam/Firebase/Labs endpoints; no credential harvesting or install-time mutation observed
Mechanism
axios client wrappers and local IndexedDB response cache
Rationale
Static inspection found a suspicious preinstall entry, but its referenced script is absent from the package and the distributed code is an API client with expected axios calls and cache helpers. No install-time payload, exfiltration, persistence, shell execution, dynamic code loading, or agent control-surface mutation was found.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints1
${e}.labs.evercam.io
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json preinstall calls ../shared/ci-scripts/check-bootstrap.js, but that file is not packaged and no payload is present
- dist/index.js imports only axios and humps, with no child_process/fs/eval/native loading matches
- dist/index.js creates an axios API client and exports endpoint wrappers for Evercam services
- network use is runtime API calls based on caller-configured env/base URLs, not install-time exfiltration
- IndexedDB use in dist/index.js is SWR cache storage for API responses
- no AI-agent control-surface writes or persistence files found in package
Behavioral surface
ChildProcessNetwork
Minified
WildcardDependency
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node ../shared/ci-scripts/check-bootstrap.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.preinstall = node ../shared/ci-scripts/check-bootstrap.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumWildcard Dependency
LowScripts Present