registry  /  @evercam/api  /  1.0.0-ae97ae0a0

@evercam/api@1.0.0-ae97ae0a0

Evercam API client

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No bundled malicious payload was confirmed. The unresolved risk is an install-time hook that attempts to execute a sibling ../shared script not present in this package.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle preinstall
Impact
Could execute code outside the package if that path exists in the install environment; otherwise likely fails with missing module.
Mechanism
external sibling script execution via package.json preinstall
Attack narrative
During install, npm would run package.json preinstall, invoking node on ../shared/ci-scripts/check-bootstrap.js. That file is not bundled in the inspected package, so no malicious payload can be verified from the package contents. Runtime code is an API client that sends caller-invoked axios requests to configured Evercam-related endpoints and arbitrary caller-supplied API URLs.
Rationale
Source inspection finds a risky lifecycle hook to an unbundled sibling path but no concrete bundled attack behavior or exfiltration logic. This should warn rather than block because the actual package contents are API-client code and declarations.
Evidence
package.jsondist/index.jsREADME.md../shared/ci-scripts/check-bootstrap.js
Network endpoints1
${e}.labs.evercam.io

Decision evidence

public snapshot
AI called this Suspicious at 76.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines preinstall: node ../shared/ci-scripts/check-bootstrap.js
  • preinstall target is outside this package and is not included in the tarball inspected
Evidence against
  • dist/index.js is a bundled Evercam API client using axios for caller-invoked API requests
  • Network URLs are derived from caller-provided env/apiUrl values or Evercam labs host logic
  • No bundled child_process, fs writes, eval/Function, credential harvesting, persistence, or destructive code found
  • README.md contains only package title; no prompt/reviewer manipulation found
Behavioral surface
Source
ChildProcessNetwork
Supply chain
Minified
Manifest
WildcardDependency
scanned 2 file(s), 312 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.preinstall = node ../shared/ci-scripts/check-bootstrap.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node ../shared/ci-scripts/check-bootstrap.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumWildcard Dependency
LowScripts Present