AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package uses an install hook to download and install its own CLI binary from the Infisical GitHub release path.
Decision evidence
public snapshot- package.json defines preinstall: node src/index.cjs
- src/index.cjs fetches a platform/arch Infisical release binary from GitHub during install
- src/index.cjs writes extracted executable files under bin/ and chmods bin/infisical
- Download URL is package-aligned: github.com/Infisical/cli release for package version 0.43.104
- Archive extraction filters to infisical/infisical.exe only
- No credential/env harvesting, broad filesystem scanning, persistence, destructive behavior, or exfiltration found
- Only child_process use is uname -m for ARM architecture detection
- Package tarball contains only package.json, README.md, .eslintrc.json, and src/index.cjs
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage ships compressed or archive-like blobs.
infisical-cli-0.43.104.tgzView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
infisical-cli-0.43.104.tgzView on unpkg