AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface from inspected source. The package uses an install-time native binary downloader for its own CLI, which is package-aligned but not evidence of malware by itself.
Decision evidence
public snapshot- package.json defines postinstall: node ./install.js
- binary-install.js downloads a platform tarball and extracts it during install
- binary-install.js uses spawnSync for tar/unzip and later for the installed wipe binary
- Download URL is package-aligned GitHub release: https://github.com/mflRevan/wipe/releases/download/v0.2.2
- Install writes only package-local node_modules/.bin_real binaries
- run-wipe.js only delegates user-invoked CLI execution to the installed wipe binary
- No credential harvesting, broad filesystem scanning, persistence, or AI-agent control-surface writes found
- No suspicious install-time execution of the downloaded wipe binary found
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
binary-install.jsView on unpkg · L92This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
binary-install.jsView on unpkg