AI Security Review
scanned 4h ago · by lpm-firewall-aiThe package is a thin installer and launcher for a native Slack channel binary. No confirmed malicious behavior is present in inspected JS, but the actual binary payload is fetched at install time and is not included for source inspection.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user runs channel-slack CLI
Impact
Uninspectable native code from the GitHub release can execute when the CLI is invoked, and an existing package-local binary may be executed with --version during install.
Mechanism
install-time remote native binary download and package-local launcher
Attack narrative
On install, install.js selects a platform-specific artifact, downloads it from the package GitHub release, verifies it against sha256sums.txt from the same release, stores it as bin/channel-slack, and chmods it executable. The CLI wrapper later execs that binary. The package JS does not show exfiltration, persistence, or AI-agent control-surface mutation, but the remotely fetched native payload is opaque to static package inspection.
Rationale
This is not source-confirmed malware, but it creates unresolved risk by downloading and later executing an unbundled native binary during the package lifecycle. The behavior is package-aligned and limited to the package directory, so warn rather than block.
Evidence
package.jsoninstall.jsbin/run.jsbin/channel-slackbin/channel-slack.exe
Network endpoints3
github.com/deadraid/morphy-releases/releases/download/v0.6.2/github.com/deadraid/morphy-releases/releases/download/v0.6.2/sha256sums.txtgithub.com/deadraid/morphy-releases/releases/tag/v0.6.2
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node install.js
- install.js downloads platform binary from GitHub release at install time
- install.js verifies checksum from same GitHub release, not from package-pinned data
- bin/run.js executes downloaded bin/channel-slack with user arguments
- install.js may execute existing bin/channel-slack --version during install
Evidence against
- No code writes agent control surfaces, shell startup files, VCS hooks, or persistence locations
- Network endpoint is package repository release host, aligned with binary distribution
- No credential/env harvesting or exfiltration logic found in package JS
- No eval/vm/Function or dynamic require patterns found
- Writes are limited to package-local bin/channel-slack or bin/channel-slack.exe
Behavioral surface
ChildProcessCryptoFilesystemNetwork
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License