registry  /  @jjlmoya/utils-babies  /  1.18.0

@jjlmoya/utils-babies@1.18.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install hook performs package-aligned CSS asset copying into the consumer project. No confirmed malicious attack surface is established.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install in a consuming project
Impact
Creates/overwrites CSS asset files for this package's tools; no exfiltration or code execution chain observed
Mechanism
copy packaged CSS files to public/styles/lib/babies
Rationale
The suspicious lifecycle hook is source-visible and limited to copying this package's CSS assets for expected Astro tool styling. Static inspection found no credential access, network calls, shell execution, obfuscation, persistence, or AI-agent control-surface mutation.
Evidence
package.jsonscripts/postinstall.mjssrc/index.tssrc/data.tssrc/entries.tssrc/tools.tspublic/styles/lib/babies/*.css

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs writes package CSS into consumer public/styles/lib/babies when installed under node_modules
Evidence against
  • postinstall exits immediately when not running from node_modules
  • postinstall only reads package.json and src/tool CSS files, then copies CSS assets
  • No child_process, eval/vm, credential harvesting, or network execution found
  • Runtime entrypoints export Astro baby-tool components, metadata, and local i18n/data modules
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 191 file(s), 1.56 MB of source, external domains: doi.org, journals.lww.com, nap.nationalacademies.org, pogiorid.org, ptp.edu.pl, schema.org, spmr.pt, turkpediatri.org.tr, www.1177.se, www.aap.org, www.acog.org, www.aeped.es, www.carters.com, www.cdc.gov, www.china-obgyn.net, www.cma.org.cn, www.cnsoc.org, www.dggg.de, www.dgkj.de, www.has-sante.fr, www.idai.or.id, www.idionline.org, www.investopedia.com, www.jpeds.or.jp, www.jsog.or.jp, www.kiabi.com, www.ksog.org, www.llli.org, www.mayoral.com, www.nejm.org, www.nice.org.uk, www.nvog.nl, www.pediatr-russia.ru, www.pediatric.or.kr, www.ptginp.pl, www.reddit.com, www.roag-portal.ru, www.salute.gov.it, www.sanidad.gob.es, www.sef.es, www.sego.es, www.sfog.se, www.sfpediatrie.com, www.sigo.it, www.spgo.pt, www.spp.pt, www.tjod.org, www.unicef.fr, www.unicef.org, www.uptodate.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License