registry  /  @lark-codem/codem-core-darwin-arm64  /  0.7.66

@lark-codem/codem-core-darwin-arm64@0.7.66

Platform-specific CodeM binary for darwin-arm64.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Installation changes permissions and removes macOS trust metadata from the bundled executable. The native CLI has runtime network, process, and filesystem capabilities, but no concrete malicious chain was confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall; later explicit execution of `codem-core`
Impact
Reduces macOS execution warnings for the bundled binary; runtime capability warrants caution.
Mechanism
postinstall quarantine removal plus native agent-capable CLI
Rationale
The lifecycle script weakens macOS trust metadata for a native agent-capable executable, creating unresolved supply-chain risk. It is not concrete malware because the inspected package shows no direct malicious execution or unconsented foreign control-surface mutation.
Evidence
package.jsoncodem-core
Network endpoints4
codem.feishu.cn/models/v1/chat/completionsmcs.zijieapi.com/v2/event/jsonfornax.bytedance.net/open-api/observability/opentelemetry/v1/tracesregistry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 85.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` postinstall chmods `codem-core` and deletes macOS quarantine/provenance attributes.
  • `codem-core` is a native arm64 Mach-O binary with process-spawn, filesystem, and network imports.
  • Binary strings expose agent/plugin/MCP configuration paths and runtime command support.
  • Binary embeds model and telemetry endpoints.
Evidence against
  • Postinstall does not execute `codem-core` or download code.
  • No install-time writes to foreign AI-agent configuration were found.
  • No credential-harvesting or direct exfiltration path was confirmed from inspected artifacts.
  • The lifecycle action is limited to the package-owned `codem-core` file and macOS metadata.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){};if(process.platform==='darwin'){['com.apple.quarantine','com.apple...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){};if(process.platform==='darwin'){['com.apple.quarantine','com.apple...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
codem-coreView file
path = codem-core kind = native_binary sizeBytes = 10274736 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

codem-coreView on unpkg

Findings

1 Critical1 High2 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumShips Native Binarycodem-core
MediumStructural Risk Force Deep Review
LowScripts Present
LowNo License