AI Security Review
scanned 41m ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface. Residual risk is a user-invoked local git UI binary with native code and agent-session visibility features.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the ingit executable
Impact
Can read local repository metadata and local agent session summaries for display; no exfiltration or persistence confirmed.
Mechanism
local git UI server with native git helper and agent-session inspection
Attack narrative
The package is a platform-specific prebuilt for ingit. When run, it starts a localhost git-history UI and exposes RPC actions for git operations, GitHub PR/CI lookup, and local agent-session focus/display. The agent-session code reads Claude/Codex session files but appears user-invoked and UI-local, with no lifecycle delivery, persistence, or remote exfiltration found.
Rationale
This is not malicious by source inspection because there are no lifecycle hooks or unconsented control-surface mutations, and observed network use is package-aligned. The native binary plus agent-session inspection is real residual risk, so warn rather than block.
Evidence
package.jsoningitlibziggit.dylibclient/index.htmlclient/assets/index-CgrOd-mb.js.claude/sessions/*.json.claude/projects/*.jsonl.codex/sessions/*.jsonl
Network endpoints3
127.0.0.1:8488ws://127.0.0.1:8488/rpcapi.github.com
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- Ships Mach-O executable ingit and native libziggit.dylib.
- ingit starts local HTTP/WebSocket server on 127.0.0.1:8488 and serves bundled client.
- Runtime code can inspect running Claude/Codex agent sessions and read .claude/.codex session files for local UI display.
- Optional UI action can call GNOME InstallRemoteExtension for Window Calls.
Evidence against
- package.json has no lifecycle scripts, bin, main, or import-time entrypoint.
- No install-time writes to foreign AI-agent control surfaces found.
- GitHub API use is repo-aligned for PR/CI metadata and uses GITHUB_TOKEN only as request auth.
- Scanner Unicode finding is three invisible chars in bundled frontend, not control-flow hiding.
- Native library strings identify ziggit-ffi with no suspicious endpoints found.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
2 flagged · loading sourceclient/assets/index-CgrOd-mb.jsView file
577contains invisible/control Unicode U+2060 (word joiner)
`):e}var Es=null,Ds;function Os(){return Es===null&&(Es=new Intl.Segmenter(Ds,{granularity:`word`})),Es}var ks=/\p{Script=Arabic}/u,As=/\p{M}/u,js=/\p{Nd}/u;function Ms(e){return ks.test(e)}function Ns(e){return e>=19968&&e<=40959||e>=13312
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
client/assets/index-CgrOd-mb.jsView on unpkg · L577libziggit.dylibView file
•path = libziggit.dylib
kind = native_binary
sizeBytes = 52544
magicHex = [redacted]
Medium
Findings
1 Critical3 Medium2 Low
CriticalTrojan Source Unicodeclient/assets/index-CgrOd-mb.js
MediumNetwork
MediumShips Native Binarylibziggit.dylib
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings