registry  /  @lark-codem/codem-core-darwin-arm64  /  0.7.65

@lark-codem/codem-core-darwin-arm64@0.7.65

Platform-specific CodeM binary for darwin-arm64.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Installation only prepares the package-owned native executable for macOS execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall
Impact
Enables execution of the bundled package-owned binary; no foreign control-surface mutation confirmed.
Mechanism
chmod plus removal of macOS xattrs on `codem-core`
Rationale
Direct inspection shows a platform-binary package whose lifecycle hook modifies only its bundled executable. Xattr removal is risky packaging behavior but is not concrete malicious behavior or an AI-agent control-surface hijack.
Evidence
package.jsoncodem-coreLICENSE

Decision evidence

public snapshot
AI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `package.json` runs a `postinstall` hook.
  • The hook removes macOS quarantine and provenance xattrs from `codem-core`.
  • `codem-core` is a bundled 10 MB native ARM64 executable.
Evidence against
  • The hook only chmods and changes xattrs on its own `codem-core` path.
  • Manifest code has no credential collection, network request, shell interpolation, or foreign-path write.
  • Package contains only `package.json`, `LICENSE`, and the declared platform binary.
  • Static binary strings show npm/plugin CLI functionality, but no concrete install-time exfiltration or persistence chain.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){};if(process.platform==='darwin'){['com.apple.quarantine','com.apple...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){};if(process.platform==='darwin'){['com.apple.quarantine','com.apple...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
codem-coreView file
path = codem-core kind = native_binary sizeBytes = 10291360 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

codem-coreView on unpkg

Findings

1 Critical1 High2 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumShips Native Binarycodem-core
MediumStructural Risk Force Deep Review
LowScripts Present
LowNo License