registry  /  @explorer02/cfm-survey-sdk  /  0.8.4

@explorer02/cfm-survey-sdk@0.8.4

A headless React SDK for building survey experiences. Give it a survey instance and it handles fetching, page navigation, answer state, validation, progress, and submission — you keep full control over the markup and styling.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package as a dependency mutates foreign AI-agent instruction files in the consuming project. The mutation occurs without an explicit user command and defaults to broad multi-agent coverage.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
`npm install @explorer02/cfm-survey-sdk` as a consumer dependency
Impact
Hijacks or materially influences Codex, Claude, Cursor, and Antigravity project control surfaces for subsequent agent sessions.
Mechanism
postinstall detects agent environments and writes package-controlled agent stubs at project root
Policy narrative
At dependency install time, `postinstall.js` identifies or defaults across AI coding-agent platforms, then creates or merges root-level `AGENTS.md`, `CLAUDE.md`, and `.cursorrules` in the consuming project. These files instruct future agents to follow package-controlled documentation. This is unconsented postinstall mutation of a foreign, broad AI-agent control surface; no additional payload or network step is required for the control-surface impact.
Rationale
Source inspection confirms a concrete install-time AI-agent control-surface write, not merely scanner similarity. The node_modules guard and absence of observed exfiltration do not mitigate the unconsented cross-project instruction-file mutation.
Evidence
package.jsonpostinstall.jspostinstall/detect-agent.jspostinstall/agent-stubs.jstemplates/AGENT.mdAGENTS.mdCLAUDE.md.cursorrulesnode_modules/@explorer02/cfm-survey-sdk/templates/AGENT.md

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node postinstall.js` on install.
  • `postinstall.js` resolves the consumer project root from `INIT_CWD`/parent paths.
  • `postinstall.js` detects Codex, Claude, Cursor, and Antigravity environment signals.
  • `postinstall.js` writes project-root `AGENTS.md`, `CLAUDE.md`, and/or `.cursorrules`.
  • `postinstall/agent-stubs.js` injects package-controlled instructions directing agents into package docs.
  • Default detection target is `all`, so absent agent signals it writes all three control files.
Evidence against
  • Postinstall is guarded to installations under `node_modules`.
  • The inspected postinstall path has no network, credential harvesting, or shell execution.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 7 file(s), 372 KB of source, external domains: custom-p0.feedbook.me, distribution-dashboard-three.vercel.app, nodejs.org, raw.githubusercontent.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
1#!/usr/bin/env node L2: "use strict";var Li=Object.create;var It=Object.defineProperty;var Pi=Object.getOwnPropertyDescriptor;var $i=Object.getOwnPropertyNames;var Di=Object.getPrototypeOf,_i=Object.proto... L3: `).length}function wt(e,t,n){let o=new Set;if(t==="fastPath"){let i=e.fastPath;for(let r of i?.read??[])o.add(r)}else if(t==="phase"&&n!==void 0){let r=e.phases?.find(s=>String(s.i...
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: "use strict";var Li=Object.create;var It=Object.defineProperty;var Pi=Object.getOwnPropertyDescriptor;var $i=Object.getOwnPropertyNames;var Di=Object.getPrototypeOf,_i=Object.proto... L3: `).length}function wt(e,t,n){let o=new Set;if(t==="fastPath"){let i=e.fastPath;for(let r of i?.read??[])o.add(r)}else if(t==="phase"&&n!==void 0){let r=e.phases?.find(s=>String(s.i... ... L7: `,"utf8"),console.log(` L8: ${R.green}OK:${R.reset} Wrote docInventory to MANIFEST.json`)}return s.ok||e.warnOnly?0:e.ci||s.slow.length>0?1:0}function Lt(e){let t=e??kt(),n=Rt(t),o=wt(n,"fastPath"),i=Et(t,o,"... L9:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: "use strict";var Li=Object.create;var It=Object.defineProperty;var Pi=Object.getOwnPropertyDescriptor;var $i=Object.getOwnPropertyNames;var Di=Object.getPrototypeOf,_i=Object.proto... L3: `).length}function wt(e,t,n){let o=new Set;if(t==="fastPath"){let i=e.fastPath;for(let r of i?.read??[])o.add(r)}else if(t==="phase"&&n!==void 0){let r=e.phases?.find(s=>String(s.i... L4: ${R.bold}Doc read budget audit (${s.profile})${R.reset}`),console.log("\u2500".repeat(40));for(let a of s.entries){let l=a.tier==="ok"?`${R.green}OK ${R.reset}`:a.tier==="warn"?`$... ... L7: `,"utf8"),console.log(` L8: ${R.green}OK:${R.reset} Wrote docInventory to MANIFEST.json`)}return s.ok||e.warnOnly?0:e.ci||s.slow.length>0?1:0}function Lt(e){let t=e??kt(),n=Rt(t),o=wt(n,"fastPath"),i=Et(t,o,"... L9: ... L74: Source: ${e.source}`),console.log(n),console.log(""),!1}function at(e,t){let n=Lr(t);return n.length?Dr({title:"INSTALL SURVEY-TYPE DEPS (run once before Phase 6)",packages:n,proje... L75: `)){let o=n.trim();if(!o||o.startsWith("#"))continue;let i=o.indexOf("=");if(i<=0)continue;let r=o.slice(0,i).trim(),s=o.slice(i+1).trim();(s.startsWith('"')&&s.endsWith('"')||s.st... L76:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: "use strict";var Li=Object.create;var It=Object.defineProperty;var Pi=Object.getOwnPropertyDescriptor;var $i=Object.getOwnPropertyNames;var Di=Object.getPrototypeOf,_i=Object.proto... L3: `).length}function wt(e,t,n){let o=new Set;if(t==="fastPath"){let i=e.fastPath;for(let r of i?.read??[])o.add(r)}else if(t==="phase"&&n!==void 0){let r=e.phases?.find(s=>String(s.i... ... L5: ${R.dim}Total: ${s.totalLines} lines across ${s.entries.length} paths${R.reset}`),s.slow.length>0){console.log(` L6: ${R.yellow}A few doc reads are taking longer than expected even from temp files:${R.reset}`);for(let a of s.slow){let l=a.hint?` \u2014 ${a.hint}`:"";console.log(` - ${a.relPath} ... L7: `,"utf8"),console.log(`
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L1
matchType = normalized_sha256 matchedPackage = @explorer02/cfm-survey-sdk@0.8.3 matchedPath = dist/cli/index.js matchedIdentity = npm:[redacted]:0.8.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli/index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = a37966016ef75b52 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @explorer02/cfm-survey-sdk@0.8.3 matchedPath = dist/cli/index.js matchedIdentity = npm:[redacted]:0.8.3 similarity = 1.000 shingleOverlap = 6 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/cli/index.jsView on unpkg
postinstall.jsView file
24Install-time AI-agent control hijack evidence: L34: L35: fs.writeFileSync(filePath, newContent, 'utf8'); L36: } ... L41: function writeClaudeMd(targetDir) { L42: const filePath = path.join(targetDir, 'CLAUDE.md'); L43: const stub = getClaudeMdStub(); ... L47: if (!canUpdateClaudeMd(existing)) { L48: console.log('Skipped CLAUDE.md (custom content outside @AGENTS.md bridge)'); L49: return; ... L51: if (existing.trim() === stub.trim()) { L52: console.log('CLAUDE.md already up to date'); L53: return; Payload evidence from postinstall/detect-agent.js: L24: */ L25: function detectAgent(env = process.env) { L26: const override = env.CFM_SDK_AGENT;
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

postinstall.jsView on unpkg · L24
templates/docs/survey-ui/verify-agent-build.shView file
path = templates/docs/survey-ui/verify-agent-build.sh kind = build_helper sizeBytes = 10511 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/docs/survey-ui/verify-agent-build.shView on unpkg
dist/cli/index.mjsView file
matchType = normalized_sha256 matchedPackage = @explorer02/cfm-survey-sdk@0.8.3 matchedPath = dist/cli/index.mjs matchedIdentity = npm:[redacted]:0.8.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli/index.mjsView on unpkg
dist/index.jsView file
matchType = normalized_sha256 matchedPackage = @explorer02/cfm-survey-sdk@0.8.3 matchedPath = dist/index.js matchedIdentity = npm:[redacted]:0.8.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical9 High5 Medium6 Low
CriticalAi Agent Control Hijackpostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighSandbox Evasion Gated Capabilitydist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighKnown Malware Source Similaritydist/cli/index.js
HighKnown Malware Source Similaritydist/cli/index.mjs
HighKnown Malware Source Similaritydist/index.js
HighKnown Malware Source Fingerprint Signaturedist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/docs/survey-ui/verify-agent-build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License