AI Security Review
scanned 8d ago · by lpm-firewall-aiThe package is a thin npm wrapper that downloads and executes its own platform-specific diffler binary. This is a supply-chain trust surface but source inspection did not show malicious behavior in the JavaScript wrapper.
Decision evidence
public snapshot- package.json defines postinstall: node install.js
- lib/resolve.js downloads a platform archive from GitHub releases or DIFFLER_DOWNLOAD_BASE
- lib/resolve.js extracts archive with tar or PowerShell and copies executable into bin/diffler
- bin/diffler.js executes resolved binary with caller args via spawnSync
- Network endpoint is package-aligned: https://github.com/matheusfillipe/diffler/releases/download
- No credential, env, home directory, or project file harvesting found
- No obfuscation, eval/vm/Function, dynamic require, persistence, or destructive logic found
- postinstall appears to install the package's own CLI binary, with lazy fetch on first CLI run
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/resolve.jsView on unpkg · L10