AI Security Review
scanned 2h ago · by lpm-firewall-aiThe confirmed behavior is an automatic install-time callback that transmits host and CI/build metadata. This is package-aligned canary telemetry, but it is still unconsented data disclosure on install.
OSV Corroboration
OpenSSF/OSVDecision evidence
public snapshot- package.json defines install-time postinstall: node postinstall.js
- postinstall.js sends an HTTPS GET to poc-luminary-npm-1782987043.testingboxes.com during install
- postinstall.js collects npm/CI identifiers plus hostname, username, and OS details
- Only package files are package.json, README.md, and postinstall.js
- No child_process, eval, dynamic code loading, file reads/writes, persistence, or destructive behavior found
- README.md and manifest describe dependency-confusion canary purpose
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource collects local host identity data and sends it to an external endpoint.
postinstall.jsView on unpkg · L8