registry  /  @explorer02/cfm-survey-sdk  /  0.9.4

@explorer02/cfm-survey-sdk@0.9.4

Headless React SDK for custom survey UIs. Matches CFM respondent-view behavior (navigation, logic, validation, progress, submission); you own all presentation.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code modifies broad, foreign AI-agent instruction surfaces in the consuming project. By default it targets all supported agent configurations.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm dependency installation in a consumer project
Impact
Can steer Codex, Claude Code, Cursor, or Antigravity behavior through package-supplied instructions.
Mechanism
postinstall agent-instruction file injection
Policy narrative
On installation, `postinstall.js` detects an AI coding environment and writes project-root instruction files. If it cannot identify one, it defaults to writing `AGENTS.md`, `CLAUDE.md`, and `.cursorrules`, each redirecting agents to a contract controlled by the installed package. This is an unconsented install-time mutation of broad AI-agent control surfaces.
Rationale
The package has a concrete, automatic postinstall chain that modifies foreign project-level AI-agent control files and defaults to all targets. No exfiltration was found, but the control-surface mutation alone meets the publish-block boundary.
Evidence
package.jsonpostinstall.jspostinstall/detect-agent.jspostinstall/agent-stubs.jstemplates/docs/00-integration/setup/agent-stubs.mdAGENTS.mdCLAUDE.md.cursorrulesnode_modules/@explorer02/cfm-survey-sdk/templates/AGENT.md

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node postinstall.js` on install.
  • `postinstall.js` writes project-root `AGENTS.md`, `CLAUDE.md`, and `.cursorrules`.
  • `postinstall/detect-agent.js` defaults to `all` when no agent signal is present.
  • `postinstall/agent-stubs.js` injects instructions directing agents to package-controlled `templates/AGENT.md`.
  • Writes occur automatically for consumer installs, without user confirmation.
Evidence against
  • No credential harvesting or network use was found in postinstall sources.
  • Stub writes use markers and preserve much existing content.
  • `dist/index.js` is a React/query SDK with no import-time filesystem or process execution.
  • CLI process and network-related features are explicit `cfm-sdk` user commands.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 7 file(s), 398 KB of source, external domains: custom-p0.feedbook.me, distribution-dashboard-three.vercel.app, nodejs.org, raw.githubusercontent.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
1#!/usr/bin/env node L2: "use strict";var cr=Object.create;var Ut=Object.defineProperty;var pr=Object.getOwnPropertyDescriptor;var dr=Object.getOwnPropertyNames;var ur=Object.getPrototypeOf,fr=Object.proto... L3:
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L1
114`),process.exit(1))):(console.log(` L115: \u274C ${c.red}winget package manager is not installed on this system.${c.reset}`),console.log(`${c.bold}\u{1F449} To proceed, please either:${c.reset}`),console.log(" 1. Install... L116: `),process.exit(1)):s?ge("brew")?(console.log(` ... L121: `),process.exit(1))):(console.log(` L122: \u274C ${c.red}Homebrew package manager (brew) is not installed on this system.${c.reset}`),console.log(`${c.bold}\u{1F449} To proceed, please either:${c.reset}`),console.log(" 1... L123: `),process.exit(1)):(console.log(` ... L128: \u26A0\uFE0F ${c.yellow}Global installation failed or permissions restricted.${c.reset}`),console.log(`\u2139 ${c.dim}Falling back: Running Vercel dynamically via npx.${c.reset}`)... L129: ${c.dim}Step 3/4: Checking Vercel Login...${c.reset}`);let t=!!process.env.VERCEL_TOKEN,n=!1;if(t)console.log(`\u2714 ${c.green}VERCEL_TOKEN environment variable detected. Skipping... L130: \u2714 ${c.green}Logged in successfully!${c.reset}`)}return t}k();ae();async function xn(e,t){console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L114
1#!/usr/bin/env node L2: "use strict";var cr=Object.create;var Ut=Object.defineProperty;var pr=Object.getOwnPropertyDescriptor;var dr=Object.getOwnPropertyNames;var ur=Object.getPrototypeOf,fr=Object.proto... L3: ... L64: L65: Example reply: "yes, AWS" or "no"`,Tn="CFM_NEXT_STEP=ASK_DEPLOY"});function bn(e){return In.join(e,wr)}function Rn(){return process.env.CFM_SKIP_WORKFLOW_GATE==="1"}function je(e){... L66: `,"utf8")}function wn(e){Bt(e,{version:1,coreVerifyPassedAt:new Date().toISOString(),deployConfirmed:null,distributionS3Key:null})}function kn(e){let t=je(e);if(!t?.coreVerifyPasse... L67: `).length}function ct(e,t,n){let o=new Set;if(t==="fastPath"){let s=e.fastPath;for(let r of s?.read??[])o.add(r)}else if(t==="phase"&&n!==void 0){let r=e.phases?.find(i=>String(i.i... ... L74: Source: ${e.source}`),console.log(n),console.log(""),!1}function mt(e,t,n=!1){let o=ui(t,n);return o.length?gi({title:"INSTALL SURVEY-TYPE DEPS (run once before Phase 6)",packages:... L75: `)){let o=n.trim();if(!o||o.startsWith("#"))continue;let s=o.indexOf("=");if(s<=0)continue;let r=o.slice(0,s).trim(),i=o.slice(s+1).trim();(i.startsWith('"')&&i.endsWith('"')||i.st... L76: `)}function Vs(e){r
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/index.jsView on unpkg · L1
121`),process.exit(1))):(console.log(` L122: \u274C ${c.red}Homebrew package manager (brew) is not installed on this system.${c.reset}`),console.log(`${c.bold}\u{1F449} To proceed, please either:${c.reset}`),console.log(" 1... L123: `),process.exit(1)):(console.log(` ... L126: ${c.dim}Step 2/4: Checking Vercel CLI...${c.reset}`);let e="vercel",t=!1;if(ge("vercel"))console.log(`\u2714 ${c.green}Vercel CLI is installed!${c.reset}`);else{console.log(`\u2753... L127: \u{1F4E5} ${c.cyan}Installing Vercel CLI globally... (npm install -g vercel)${c.reset}`),J("npm",["install","-g","vercel"])&&ge("vercel")?console.log(`\u2714 ${c.green}Vercel CLI i... L128: \u26A0\uFE0F ${c.yellow}Global installation failed or permissions restricted.${c.reset}`),console.log(`\u2139 ${c.dim}Falling back: Running Vercel dynamically via npx.${c.reset}`)...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L121
matchType = normalized_sha256 matchedPackage = @explorer02/cfm-survey-sdk@0.9.3 matchedPath = dist/cli/index.js matchedIdentity = npm:[redacted]:0.9.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli/index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 6f53b47cd1f81692 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @explorer02/cfm-survey-sdk@0.9.3 matchedPath = dist/cli/index.js matchedIdentity = npm:[redacted]:0.9.3 similarity = 1.000 shingleOverlap = 6 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/cli/index.jsView on unpkg
postinstall.jsView file
24Install-time AI-agent control hijack evidence: L34: L35: fs.writeFileSync(filePath, newContent, 'utf8'); L36: } ... L41: function writeClaudeMd(targetDir) { L42: const filePath = path.join(targetDir, 'CLAUDE.md'); L43: const stub = getClaudeMdStub(); ... L47: if (!canUpdateClaudeMd(existing)) { L48: console.log('Skipped CLAUDE.md (custom content outside @AGENTS.md bridge)'); L49: return; ... L51: if (existing.trim() === stub.trim()) { L52: console.log('CLAUDE.md already up to date'); L53: return; Payload evidence from postinstall/detect-agent.js: L24: */ L25: function detectAgent(env = process.env) { L26: const override = env.CFM_SDK_AGENT;
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

postinstall.jsView on unpkg · L24
templates/docs/survey-ui/verify-agent-build.shView file
path = templates/docs/survey-ui/verify-agent-build.sh kind = build_helper sizeBytes = 10916 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/docs/survey-ui/verify-agent-build.shView on unpkg
dist/cli/index.mjsView file
matchType = normalized_sha256 matchedPackage = @explorer02/cfm-survey-sdk@0.9.3 matchedPath = dist/cli/index.mjs matchedIdentity = npm:[redacted]:0.9.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli/index.mjsView on unpkg
dist/index.jsView file
matchType = normalized_sha256 matchedPackage = @explorer02/cfm-survey-sdk@0.9.3 matchedPath = dist/index.js matchedIdentity = npm:[redacted]:0.9.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical9 High5 Medium6 Low
CriticalAi Agent Control Hijackpostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighSandbox Evasion Gated Capabilitydist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighKnown Malware Source Similaritydist/cli/index.js
HighKnown Malware Source Similaritydist/cli/index.mjs
HighKnown Malware Source Similaritydist/index.js
HighKnown Malware Source Fingerprint Signaturedist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/docs/survey-ui/verify-agent-build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License