registry  /  @lumpcode/cli  /  0.0.11

@lumpcode/cli@0.0.11

CLI for running agent loops over your codebase. Run agent loop campaigns (lumps) with CLI agents, git branches, and resumable LUMP marker commits

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code overwrites Lumpcode-owned preset modules in `~/.lumpcode` and attempts to download a native CLI binary. On a later explicit `lumpcode` invocation, the launcher executes that binary when installed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall; later explicit `lumpcode` command
Impact
A remote release binary can run with the invoking user's permissions; shipped presets can launch Cursor or Copilot with prompts and configured tool permissions.
Mechanism
First-party agent-extension setup plus native binary bootstrap
Rationale
This is not proven malware, but its postinstall mutation of a first-party agent-extension directory and remote native-binary bootstrap warrant a warning. The observed behavior matches a guarded first-party extension lifecycle risk rather than a publish-block attack.
Evidence
package.jsonscripts/postinstall.mjsscripts/native-binary.mjsbin/lumpcode.jsdist/installPresetCommands.mjsdist/presets/commands/cursor.jsdist/presets/commands/copilot.js~/.lumpcode/commands/presetsvendor/lumpcodevendor/.installed
Network endpoints1
github.com/${repo}/releases/download/${tag}/${assetBase}

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` invokes `scripts/postinstall.mjs`.
  • `scripts/postinstall.mjs` overwrites `~/.lumpcode/commands/presets/*`.
  • `scripts/native-binary.mjs` fetches a release binary, writes `vendor/lumpcode`, and marks it executable.
  • `bin/lumpcode.js` prefers the downloaded binary on later user CLI runs.
  • `dist/presets/commands/copilot.js` can enable all Copilot tools when invoked without scoped permissions.
Evidence against
  • Native binary download is disabled in CI and supports `LUMPCODE_SKIP_BINARY=1`.
  • The download URL is a GitHub release pattern and checks SHA-256 when its checksum is available.
  • Preset commands target the package's own `~/.lumpcode` configuration, not Cursor or Copilot config files.
  • No source evidence of credential harvesting, secret exfiltration, destructive commands, or hidden payload decoding was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 996 KB of source, external domains: dotenvx.com, github.com, json-schema.org, raw.githubusercontent.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/lumpcode.jsView file
2L3: const { spawn } = require('node:child_process'); L4: const fs = require('node:fs');
High
Child Process

Package source references child process execution.

bin/lumpcode.jsView on unpkg · L2
2Cross-file remote execution chain: bin/lumpcode.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2: L3: const { spawn } = require('node:child_process'); L4: const fs = require('node:fs'); ... L6: L7: const pkgRoot = path.join(__dirname, '..'); L8: const vendorDir = path.join(pkgRoot, 'vendor'); ... L10: const nativeBinary = L11: process.platform === 'win32' L12: ? path.join(vendorDir, 'lumpcode.exe')
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/lumpcode.jsView on unpkg · L2
2L3: const { spawn } = require('node:child_process'); L4: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/lumpcode.jsView on unpkg · L2
dist/presets/commands/cursor.jsView file
8L9: const execAsync = promisify(exec); L10:
High
Shell

Package source references shell execution.

dist/presets/commands/cursor.jsView on unpkg · L8
dist/index.jsView file
1(()=>{var e={3457:(e,t,r)=>{"use strict";Object.defineProperty(t,"__esModule",{value:true});t.MissingRefError=t.ValidationError=t.CodeGen=t.Name=t.nil=t.stringify=t.str=t._=t.Keywo... L2: || (${u} == "string" && ${o} && ${o} == +${o})`).assign(c,(0,s._)`+${o}`);return;case"integer":i.elseIf((0,s._)`${u} === "boolean" || ${o} === null ... L6: depsCount: ${t}, L7: deps: ${r}}`};const s={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){const[t,r]=splitDependencies(e);validatePropertyDeps(e,t);validateSchemaDeps(e... L8: /*! js-yaml 5.0.0 https://github.com/nodeca/js-yaml @license MIT */var y=Symbol("NOT_RESOLVED");var b=Symbol("MERGE_KEY");function defineScalarTag(e,t){return{tagName:e,nodeKind:"s...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1(()=>{var e={3457:(e,t,r)=>{"use strict";Object.defineProperty(t,"__esModule",{value:true});t.MissingRefError=t.ValidationError=t.CodeGen=t.Name=t.nil=t.stringify=t.str=t._=t.Keywo... L2: || (${u} == "string" && ${o} && ${o} == +${o})`).assign(c,(0,s._)`+${o}`);return;case"integer":i.elseIf((0,s._)`${u} === "boolean" || ${o} === null L3: || (${u} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(c,(0,s._)`+${o}`);return;case"boolean":i.elseIf((0,s._)`${o} === "false" || ${o} === 0 || ${o} === null`).as... L4: || ${u} === "boolean" || ${o} === null`).assign(c,(0,s._)`[${o}]`)}}}function assignParentData({gen:e,parentData:t,parentDataProperty:r},i){e.if((0,s._)`${t} !== undefined`,(()=>e.... L5: missingProperty: ${o}, L6: depsCount: ${t}, L7: deps: ${r}}`};const s={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){const[t,r]=splitDependencies(e);validatePropertyDeps(e,t);validateSchemaDeps(e... L8: /*! js-yaml 5.0.0 https://github.com/nodeca/js-yaml @license MIT */var y=Symbol("NOT_RESOLVED");var b=Symbol("MERGE_KEY");function defineScalarTag(e,t){return{tagName:e,nodeKind:"s...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L1
1(()=>{var e={3457:(e,t,r)=>{"use strict";Object.defineProperty(t,"__esModule",{value:true});t.MissingRefError=t.ValidationError=t.CodeGen=t.Name=t.nil=t.stringify=t.str=t._=t.Keywo... L2: || (${u} == "string" && ${o} && ${o} == +${o})`).assign(c,(0,s._)`+${o}`);return;case"integer":i.elseIf((0,s._)`${u} === "boolean" || ${o} === null
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L1

Findings

7 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/lumpcode.js
HighShelldist/presets/commands/cursor.js
HighSame File Env Network Executiondist/index.js
HighObfuscated Payload Loaderdist/index.js
HighCross File Remote Execution Contextbin/lumpcode.js
HighObfuscated
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/lumpcode.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings