AI Security Review
scanned 1d ago · by lpm-firewall-aiThe confirmed issue is lifecycle-time mutation of the installing repository's Git hook path. It can disable or redirect project hooks without user consent during package install/build preparation.
Decision evidence
public snapshot- package.json prepare runs during npm lifecycle and executes git config core.hooksPath git-hooks when installed inside any git worktree.
- The package file list does not include git-hooks, so lifecycle mutates the consumer repo's VCS hook configuration without shipping a package-owned hook directory.
- This is unconsented install-time mutation of a project control surface, matching the VCS hook persistence policy.
- fased.mjs only bootstraps the CLI and imports dist/entry.js; no install-time import execution found there.
- dist/send-BfoWn2uU.js/dist/send-pgDAogV8.js Discord network and ffmpeg/ffprobe execution are channel-send features, not automatic exfiltration.
- No evidence of credential harvesting or hardcoded exfiltration endpoint beyond configured service APIs.
Source & flagged code
41 flagged · loading sourcePackage source references child process execution.
dist/paths-CcTInsz7.jsView on unpkg · L8Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/daemon-cli.jsView on unpkg · L38Source writes installer persistence such as shell profile or service configuration.
dist/daemon-cli.jsView on unpkg · L38Package source references dynamic require/import behavior.
dist/query-expansion-aFF5iDSy.jsView on unpkg · L84Package source references weak cryptographic algorithms.
extensions/voice-call/src/webhook-security.tsView on unpkg · L76Source executes local commands and sends command output to an external endpoint.
dist/send-BfoWn2uU.jsView on unpkg · L12A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/send-pgDAogV8.jsView on unpkg · L15Package ships non-JavaScript build or shell helper files.
scripts/start-managed.shView on unpkgPackage contains source files above the static scanner size ceiling.
dist/pi-embedded-IqgbZA5l.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/node-cli-DniBkXLM.jsView on unpkgHardcoded password in docs/zh-CN/gateway/tailscale.md
docs/zh-CN/gateway/tailscale.mdView on unpkg · L80Hardcoded password in docs/zh-CN/gateway/configuration.md
docs/zh-CN/gateway/configuration.mdView on unpkg · L3027Hardcoded password in docs/zh-CN/channels/bluebubbles.md
docs/zh-CN/channels/bluebubbles.mdView on unpkg · L43Hardcoded password in docs/gateway/tailscale.md
docs/gateway/tailscale.mdView on unpkg · L128Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L629Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L2371Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L2398Hardcoded password in docs/channels/bluebubbles.md
docs/channels/bluebubbles.mdView on unpkg · L51Hardcoded password in extensions/irc/src/client.test.ts
extensions/irc/src/client.test.tsView on unpkg · L39Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L90Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L100Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L132Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L154Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L260Hardcoded password in extensions/bluebubbles/src/send.test.ts
extensions/bluebubbles/src/send.test.tsView on unpkg · L733Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L303Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L563Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L599Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L639Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L674Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L675Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L728Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L782Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3088Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3092Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L54Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L95Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L109Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L128Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L207