AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Installation changes permissions and removes macOS trust metadata from the bundled executable. The native CLI has runtime network, process, and filesystem capabilities, but no concrete malicious chain was confirmed.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall; later explicit execution of `codem-core`
Impact
Reduces macOS execution warnings for the bundled binary; runtime capability warrants caution.
Mechanism
postinstall quarantine removal plus native agent-capable CLI
Rationale
The lifecycle script weakens macOS trust metadata for a native agent-capable executable, creating unresolved supply-chain risk. It is not concrete malware because the inspected package shows no direct malicious execution or unconsented foreign control-surface mutation.
Evidence
package.jsoncodem-core
Network endpoints4
codem.feishu.cn/models/v1/chat/completionsmcs.zijieapi.com/v2/event/jsonfornax.bytedance.net/open-api/observability/opentelemetry/v1/tracesregistry.npmjs.org
Decision evidence
public snapshotAI called this Suspicious at 85.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` postinstall chmods `codem-core` and deletes macOS quarantine/provenance attributes.
- `codem-core` is a native arm64 Mach-O binary with process-spawn, filesystem, and network imports.
- Binary strings expose agent/plugin/MCP configuration paths and runtime command support.
- Binary embeds model and telemetry endpoints.
Evidence against
- Postinstall does not execute `codem-core` or download code.
- No install-time writes to foreign AI-agent configuration were found.
- No credential-harvesting or direct exfiltration path was confirmed from inspected artifacts.
- The lifecycle action is limited to the package-owned `codem-core` file and macOS metadata.
Behavioral surface
NoLicense
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){};if(process.platform==='darwin'){['com.apple.quarantine','com.apple...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){};if(process.platform==='darwin'){['com.apple.quarantine','com.apple...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgcodem-coreView file
•path = codem-core
kind = native_binary
sizeBytes = 10274736
magicHex = [redacted]
Medium
Findings
1 Critical1 High2 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumShips Native Binarycodem-core
MediumStructural Risk Force Deep Review
LowScripts Present
LowNo License