registry  /  @github/copilot-win32-x64  /  1.0.71

@github/copilot-win32-x64@1.0.71

GitHub Copilot CLI for win32-x64

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior is established. When a user runs the CLI, it may discover configured Copilot extensions and fork an extension process that imports the selected local extension.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes the Copilot CLI in a project or profile containing a configured extension.
Impact
A discovered extension can execute with the invoking user's permissions; its behavior is outside this package's bundled bootstrap.
Mechanism
Runtime extension discovery and dynamic local extension import.
Rationale
Source inspection does not support a malicious verdict or publish block. The extension auto-loading behavior is a meaningful guarded runtime risk, so warn rather than mark clean.
Evidence
package.jsonnpm-loader.jspreloads/extension_bootstrap.mjscopilot-sdk/index.jscopilot-sdk/docs/extensions.mdapp.js.github/extensions/extension.mjs.copilot/extensions/extension.mjs

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `preloads/extension_bootstrap.mjs` dynamically imports `EXTENSION_PATH`.
  • `copilot-sdk/docs/extensions.md` says the CLI discovers and forks project/user extensions.
  • `copilot-sdk/index.js` can spawn the configured or bundled CLI runtime.
  • `app.js` and `sdk/index.js` include project AI-agent config path handling.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `npm-loader.js` only selects and synchronously starts the matching Copilot platform binary.
  • The extension bootstrap redirects SDK imports and loads a supplied local file; no downloader or exfiltration endpoint is present.
  • No package-owned persistence, destructive action, credential harvesting, or foreign control-surface mutation was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 15 file(s), 1.48 MB of source, external domains: aka.ms, api.anthropic.com, api.github.com, collector.example.com, collector.internal, docs.github.com, example.com, github.com, malicious-site.com, my-api.example.com, my-resource.openai.azure.com, no-color.org, proxy.corp.example, proxy.example.com
Oversized source lightweight scan
app.js8.67 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsNativeBindingsHighEntropyStringsUrlStringsapi.anthropic.comapi.github.comcollector.example.comcollector.internaldocs.github.comexample.comgithub.commalicious-site.commy-api.example.commy-resource.openai.azure.comno-color.orgproxy.corp.exampleproxy.example.com
sdk/index.js2.69 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsNativeBindingsHighEntropyStringsMinifiedUrlStringsgithub.com

Source & flagged code

10 flagged · loading source
index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @github/copilot-win32-x64@1.0.68 matchedIdentity = npm:[redacted]:1.0.68 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

index.jsView on unpkg
8L9: var Ve=Object.create;var B=Object.defineProperty;var Ue=Object.getOwnPropertyDescriptor;var je=Object.getOwnPropertyNames;var We=Object.getPrototypeOf,qe=Object.prototype.hasOwnPro... L10: `)}else s.length>0&&(t=N(s[0],"app.js"))}return t}import{existsSync as br}from"node:fs";import{basename as vr,resolve as Er}from"node:path";var Pe="extension_bootstrap.mjs";functio...
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L8
8L9: var Ve=Object.create;var B=Object.defineProperty;var Ue=Object.getOwnPropertyDescriptor;var je=Object.getOwnPropertyNames;var We=Object.getPrototypeOf,qe=Object.prototype.hasOwnPro... L10: `)}else s.length>0&&(t=N(s[0],"app.js"))}return t}import{existsSync as br}from"node:fs";import{basename as vr,resolve as Er}from"node:path";var Pe="extension_bootstrap.mjs";functio... ... L14: ${s}`)}function kr(e){if(e instanceof Error)return e.message;if(typeof e=="string")return e;try{return JSON.stringify(e)}catch{return Object.prototype.toString.call(e)}}function Ne... L15: `),process.exit(1)}}else if(process.env.COPILOT_SHUTDOWN_FLUSH){try{let{url:e,headers:r,body:t}=JSON.parse(process.env.COPILOT_SHUTDOWN_FLUSH);await fetch(e,{method:"POST",headers:...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L8
8L9: var Ve=Object.create;var B=Object.defineProperty;var Ue=Object.getOwnPropertyDescriptor;var je=Object.getOwnPropertyNames;var We=Object.getPrototypeOf,qe=Object.prototype.hasOwnPro... L10: `)}else s.length>0&&(t=N(s[0],"app.js"))}return t}import{existsSync as br}from"node:fs";import{basename as vr,resolve as Er}from"node:path";var Pe="extension_bootstrap.mjs";functio... ... L14: ${s}`)}function kr(e){if(e instanceof Error)return e.message;if(typeof e=="string")return e;try{return JSON.stringify(e)}catch{return Object.prototype.toString.call(e)}}function Ne... L15: `),process.exit(1)}}else if(process.env.COPILOT_SHUTDOWN_FLUSH){try{let{url:e,headers:r,body:t}=JSON.parse(process.env.COPILOT_SHUTDOWN_FLUSH);await fetch(e,{method:"POST",headers:...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

index.jsView on unpkg · L8
preloads/extension_bootstrap.mjsView file
15// Register a CJS require hook so that CommonJS extensions can L16: // `require("@github/copilot-sdk")` and have it resolve to the bundled SDK. L17: const sdkPath = process.env.COPILOT_SDK_PATH;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

preloads/extension_bootstrap.mjsView on unpkg · L15
copilot-sdk/index.jsView file
839Cross-file remote execution chain: copilot-sdk/index.js spawns index.js; helper contains network access plus dynamic code execution. L839: /** L840: * To be kept private to fire an event to L841: * subscribers ... L1377: try { L1378: await this.writable.write(headers.join(""), "ascii"); L1379: return this.writable.write(data); ... L2890: fromString(value, encoding) { L2891: return Buffer.from(value, encoding); L2892: } ... L3058: var crypto_1 = __require("crypto"); L3059: var net_1 = __require("net"); L3060: var api_1 = require_api();
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

copilot-sdk/index.jsView on unpkg · L839
prebuilds/win32-x64/cli-native.nodeView file
path = prebuilds/win32-x64/cli-native.node kind = native_binary sizeBytes = 931616 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

prebuilds/win32-x64/cli-native.nodeView on unpkg
tree-sitter-go.wasmView file
path = tree-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

tree-sitter-go.wasmView on unpkg
sdk/index.jsView file
path = sdk/index.js kind = oversized_source_file sizeBytes = 2815595 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

sdk/index.jsView on unpkg
app.jsView file
path = app.js kind = oversized_cli_entrypoint sizeBytes = 9089681 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

app.jsView on unpkg

Findings

1 Critical6 High7 Medium4 Low
CriticalPrevious Version Dangerous Deltaindex.js
HighChild Processindex.js
HighShell
HighSame File Env Network Executionindex.js
HighCommand Output Exfiltrationindex.js
HighCross File Remote Execution Contextcopilot-sdk/index.js
HighOversized Source Filesdk/index.js
MediumDynamic Requirepreloads/extension_bootstrap.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryprebuilds/win32-x64/cli-native.node
MediumShips Wasm Moduletree-sitter-go.wasm
MediumOversized Cli Entrypointapp.js
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License