AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The only install-time behavior creates a .browserslistrc pointing to this package when no Browserslist config is found.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall during package installation
Impact
May create .browserslistrc in the installing project, but content is limited to extending this Browserslist config.
Mechanism
package-aligned config file creation
Rationale
Static inspection confirms the scanner's lifecycle and env-var signals, but they support package setup rather than exfiltration, execution, persistence, or agent-control mutation. The runtime entrypoints are inert configuration exports and the postinstall behavior is bounded to a Browserslist config file.
Evidence
package.jsonscripts/postinstall.cjsindex.cjswrapper.mjs.browserslistrc
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines a postinstall lifecycle: node scripts/postinstall.cjs.
- scripts/postinstall.cjs uses process.env.INIT_CWD and writes .browserslistrc in the installing project if absent.
Evidence against
- index.cjs only exports a Browserslist query array.
- wrapper.mjs only re-exports index.cjs as ESM default.
- postinstall writes a package-aligned Browserslist config: extends @ivuorinen/browserslist-config.
- No network, credential harvesting, shell execution, eval/vm, binary loading, persistence, destructive behavior, or AI-agent control-surface writes found.
Behavioral surface
EnvironmentVarsFilesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem