registry  /  @lark-codem/codem-core-win32-x64-gnu  /  0.7.63

@lark-codem/codem-core-win32-x64-gnu@0.7.63

Platform-specific CodeM binary for win32-x64-gnu.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface. Installation only adjusts permissions on the package-owned executable; network and agent features require later binary invocation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; separate explicit execution of `codem-core.exe`
Impact
No confirmed credential theft, exfiltration, persistence, destructive action, or AI-agent configuration mutation during installation.
Mechanism
package-owned executable permission normalization
Rationale
Direct inspection shows the sole lifecycle action changes mode on the bundled executable and does not execute it. Native-binary and runtime network/agent strings alone do not establish malicious behavior.
Evidence
package.jsoncodem-core.exe

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` has a `postinstall` hook.
  • Package ships native `codem-core.exe`.
  • The PE imports networking and process APIs, consistent with a CLI agent binary.
Evidence against
  • `postinstall` only calls `chmodSync` on its own `codem-core.exe` and suppresses errors.
  • No lifecycle hook executes the binary, contacts a network endpoint, or writes user/agent configuration.
  • Package contains only `package.json`, `LICENSE`, and the platform-specific executable.
  • Embedded service URLs and MCP/config strings are runtime CLI capabilities, not install-time behavior.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core.exe'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core.exe'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
codem-core.exeView file
path = codem-core.exe kind = native_binary sizeBytes = 12851200 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

codem-core.exeView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Native Binarycodem-core.exe
LowScripts Present
LowNo License