AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall triggers a dependency-confusion canary that fingerprints the environment and sends it to an external researcher endpoint. No persistence or credential file harvesting was found, but the network callback is automatic at install time.
OSV Corroboration
OpenSSF/OSVDecision evidence
public snapshot- package.json defines install-time postinstall: node postinstall.js
- postinstall.js sends HTTPS GET to external testingboxes.com endpoint during install
- postinstall.js collects host/user/OS plus CI repo, runner, sha, ref, workflow env identifiers
- postinstall.js suppresses errors and never fails install
- No child_process, shell execution, eval, dynamic require, or native/binary loading found
- No file reads/writes or persistence found beyond executing postinstall.js
- README/package comments describe it as a dependency-confusion canary
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource collects local host identity data and sends it to an external endpoint.
postinstall.jsView on unpkg · L8