AI Security Review
scanned 1d ago · by lpm-firewall-aiInstall-time code retrieves an unpinned native binary from the package's GitHub latest release and installs it under the package vendor directory. Runtime CLI execution delegates to that native binary, which is not present in this extracted package for inspection.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later runs kv-code
Impact
Unpinned release asset could change package behavior outside npm tarball review, but no confirmed malicious payload is present in the inspected source.
Mechanism
install-time remote native binary download and runtime spawn
Attack narrative
On install, the postinstall script checks for a local or optional-dependency native binary. If missing, it queries the package's GitHub latest release, downloads a matching archive, extracts it, copies kv-code into vendor, and marks it executable. The JS launcher then spawns that binary for CLI use. This is risky because the executed native payload is fetched outside the npm package contents, but the inspected source does not show exfiltration, persistence, or foreign AI-agent control hijacking.
Rationale
The package has a real install-time remote binary installation surface, but it is package-aligned and no concrete malicious behavior is visible in the inspectable source. Treat as suspicious/warn rather than block because the main risk is unpinned native payload delivery outside the tarball, not confirmed malware.
Evidence
package.jsonscripts/postinstall.jsbin/kv-code.jsREADME.mdvendor/<targetTriple>/bin/kv-codevendor/<targetTriple>/bin/kv-code.exe.tmp-install
Network endpoints2
api.github.com/repos/HyperXenonZephyr/Kv-code/releases/latestgithub.com/HyperXenonZephyr/Kv-code/releases
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node scripts/postinstall.js
- scripts/postinstall.js fetches https://api.github.com/repos/HyperXenonZephyr/Kv-code/releases/latest
- postinstall downloads a release asset, extracts it with tar, copies a native binary into vendor, and chmods it executable
- bin/kv-code.js later spawns the resolved native binary with inherited stdio and process environment
Evidence against
- Network use is package-aligned to the declared GitHub repo and release assets
- No credential harvesting, broad file scanning, or exfiltration code found in inspected JS sources
- No writes to Claude/Codex/Cursor/MCP agent control surfaces or shell/VCS persistence files
- README describes a local-first terminal coding agent and provider configuration rather than covert behavior
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings