registry  /  @jjlmoya/utils-printing3d  /  1.23.0

@jjlmoya/utils-printing3d@1.23.0

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The only install-time behavior is package-aligned asset copying for bundled CSS into a consumer public styles directory. No confirmed malicious attack surface is established.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall in node_modules
Impact
Creates public/styles/lib/printing3d and copies bundled calculator CSS files; no exfiltration or code execution chain found
Mechanism
local CSS asset copy
Rationale
Static inspection shows a suspicious lifecycle hook, but its source only copies bundled CSS assets into a predictable public styles path and contains no network, credential harvesting, shell execution, destructive behavior, or AI-agent control-surface mutation. Runtime entrypoints are ordinary 3D-printing calculator exports and localized content loaders.
Evidence
package.jsonscripts/postinstall.mjssrc/index.tssrc/data.tssrc/entries.tssrc/tools.tssrc/category/index.tssrc/tool/coreXYBeltTensionEstimator/logic.tssrc/tool/*/*.csspublic/styles/lib/printing3d/*.css

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has install-time postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs writes CSS files into consumer public/styles/lib/printing3d when installed under node_modules
Evidence against
  • postinstall exits immediately unless its own script path includes node_modules
  • postinstall only reads package.json and bundled src/tool CSS, then copies .css files; no network, shell, env, credential, or agent config access
  • exports/main point to src/index.ts, src/data.ts, and src/entries.ts with static tool/category exports
  • rg found no child_process, fetch, XMLHttpRequest, process.env, destructive file APIs, native binaries, or encoded payload behavior in runtime source
  • Observed URLs are bibliography/schema/font references, not exfiltration endpoints
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 238 file(s), 2.83 MB of source, external domains: blog.prusa3d.com, docs.vorondesign.com, e3d-online.com, en.wikipedia.org, formlabs.com, forum.simplify3d.com, github.com, help.prusa3d.com, pubchem.ncbi.nlm.nih.gov, reprap.org, schema.org, sigmafilament.com, wiki.bambulab.com, www.cdc.gov, www.engineeringtoolbox.com, www.hubs.com, www.iso.org, www.matterhackers.com, www.simplify3d.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License