AI Security Review
scanned 3h ago · by lpm-firewall-ai`postinstall.js` automatically retrieves and executes a native CLI payload at install time. The payload is package-aligned but its integrity is not verified before installation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation with lifecycle scripts enabled
Impact
A compromised release asset or redirect target could supply arbitrary native code that runs when the user invokes `dotenv`.
Mechanism
postinstall download, gzip extraction, and executable permission grant
Rationale
The source does not show concrete malicious behavior, but automatic installation of an unverified remotely fetched native executable is a material supply-chain risk. Flag as a warning rather than block because the endpoint and artifact naming are package-aligned and no malicious chain is confirmed.
Evidence
package.jsonpostinstall.jsbin/dotenvvendor/dotenv$TMPDIR/dotenv-cli-<timestamp>.gz
Network endpoints1
github.com/MikeGarde/dotenv-cli/releases/download/1.1.2/
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `postinstall.js` runs automatically via `package.json` postinstall.
- Install script downloads a platform-specific executable from GitHub Releases.
- Downloaded gzip is decompressed into `vendor/dotenv` and marked executable.
- No checksum, signature, or pinned artifact digest verifies the downloaded binary.
- Redirect handling accepts up to five redirects without restricting the destination host.
Evidence against
- No source reads or transmits `.env` contents, credentials, or other local files.
- No hidden shell, eval, dynamic code loading, persistence, or destructive actions found.
- `bin/dotenv` only launches the installed `vendor/dotenv` with user-provided arguments.
- The remote artifact name and release URL are package-aligned to `MikeGarde/dotenv-cli` and its declared version.
Behavioral surface
FilesystemNetwork
UrlStrings
CopyleftLicense
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgREADME.mdView file
160patternName = private_key_rsa
severity = critical
line = 160
matchedText = -----BEG...f...
Critical
163patternName = private_key_rsa
severity = critical
line = 163
matchedText = -----BEG...----
Critical
Findings
2 Critical1 High2 Medium4 Low
CriticalSecret PatternREADME.md
CriticalSecret PatternREADME.md
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License