AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface. Installation only adjusts permissions on the package-owned executable; network and agent features require later binary invocation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; separate explicit execution of `codem-core.exe`
Impact
No confirmed credential theft, exfiltration, persistence, destructive action, or AI-agent configuration mutation during installation.
Mechanism
package-owned executable permission normalization
Rationale
Direct inspection shows the sole lifecycle action changes mode on the bundled executable and does not execute it. Native-binary and runtime network/agent strings alone do not establish malicious behavior.
Evidence
package.jsoncodem-core.exe
Decision evidence
public snapshotAI called this Clean at 89.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` has a `postinstall` hook.
- Package ships native `codem-core.exe`.
- The PE imports networking and process APIs, consistent with a CLI agent binary.
Evidence against
- `postinstall` only calls `chmodSync` on its own `codem-core.exe` and suppresses errors.
- No lifecycle hook executes the binary, contacts a network endpoint, or writes user/agent configuration.
- Package contains only `package.json`, `LICENSE`, and the platform-specific executable.
- Embedded service URLs and MCP/config strings are runtime CLI capabilities, not install-time behavior.
Behavioral surface
NoLicense
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core.exe'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){}"
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node -e "var f=require('path').join(__dirname,'codem-core.exe'),fs=require('fs');try{fs.chmodSync(f,0o755)}catch(e){}"
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgcodem-core.exeView file
•path = codem-core.exe
kind = native_binary
sizeBytes = 12851200
magicHex = [redacted]
Medium
Findings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Native Binarycodem-core.exe
LowScripts Present
LowNo License