registry  /  @hominis/fireforge  /  0.37.0

@hominis/fireforge@0.37.0

FireForge — a build tool for customizing Firefox

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit FireForge mach/build workflow installs a persistent Python resource-monitor guard into Firefox mach virtual environments and supplies a temporary PYTHONPATH fallback. This is a guarded platform-extension lifecycle mutation, not install-time execution or a confirmed malicious payload.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes a FireForge workflow that dispatches mach/build tooling.
Impact
Can alter Python behavior for affected Firefox mach virtualenv executions until overwritten or removed.
Mechanism
Writes and loads a Python import/resource-monitor shim in Firefox mach environments.
Rationale
Source inspection found no concrete credential theft, covert exfiltration, remote payload execution, or install-time malicious behavior. The persistent mach-virtualenv shim is nonetheless a real guarded platform-extension lifecycle risk and warrants a warning under the stated policy.
Evidence
package.jsondist/src/core/mach-resource-shim.jsdist/src/core/firefox-archive.jsdist/src/core/firefox-cache.jsdist/src/core/firefox-download.jsdist/bin/fireforge.jsdist/src/cli.jsdist/src/core/firefox.jsdist/src/utils/process.js
Network endpoints2
archive.mozilla.org/pub/firefox/releasesarchive.mozilla.org/pub/devedition/releases

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/src/core/mach-resource-shim.js` writes Python guard modules into discovered Firefox mach virtualenv `site-packages`.
  • The same shim prepends a temp `sitecustomize.py` directory to `PYTHONPATH` and monkey-patches Python imports/resource monitors.
  • `package.json` has a `prepare` hook, but the shipped `scripts/prepare.mjs` is absent and its ERR_MODULE_NOT_FOUND path exits successfully.
Evidence against
  • No `preinstall`, `install`, or `postinstall` hook is declared.
  • Network code is Firefox-source download logic restricted to `https://archive.mozilla.org` with SHA-256 verification.
  • CLI process execution uses explicit FireForge commands to run Firefox/mach tooling; no credential harvesting or exfiltration was found.
  • Dynamic imports in `dist/src/core/firefox-cache.js` and `dist/src/core/firefox.js` load Node filesystem/path modules, not remote code.
  • No AI-agent configuration paths or foreign agent-control-surface mutations were found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 300 file(s), 2.35 MB of source, external domains: archive.mozilla.org, facebook.github.io, git-scm.com, github.com, mozilla.org, python.org, www.mozilla.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/src/core/typecheck-shim.jsView file
48* content scripts wired via `browser.js`. L49: * - Dynamic `import("resource:-…")` / `import("chrome:-…")` under patch L50: * checkJs: imports of *patch-owned* modules resolve to their real
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/core/typecheck-shim.jsView on unpkg · L48
dist/src/core/firefox-cache.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @hominis/fireforge@0.35.0 matchedIdentity = npm:QGhvbWluaXMvZmlyZWZvcmdl:0.35.0 similarity = 0.567 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/core/firefox-cache.jsView on unpkg

Findings

1 High4 Medium6 Low
HighPrevious Version Dangerous Deltadist/src/core/firefox-cache.js
MediumDynamic Requiredist/src/core/typecheck-shim.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License