AI Security Review
scanned 8d ago · by lpm-firewall-aiThe package is a native-binary installer and CLI shim for an autonomous AI agent. The unresolved risk is the install-time fetched executable, whose contents are not present in the package source inspected here.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; morphy CLI runs the installed binary
Impact
Installer places and later executes an opaque native agent binary; no confirmed malicious behavior in inspected JS package code.
Mechanism
postinstall remote binary download and CLI exec shim
Attack narrative
On installation, install.js selects a platform-specific binary name, downloads it from deadraid/morphy-releases GitHub release v0.6.6, verifies it against sha256sums.txt from the same release, chmods it, and stores it as bin/morphy or bin/morphy.exe. The published JS CLI then delegates execution to that binary. Source inspection did not find credential theft, persistence, foreign agent config mutation, or install-time agent control hijack.
Rationale
The inspected package source does not establish malware, but it does install and execute an opaque remote native binary for an agent with powerful user-invoked capabilities. This warrants a warning as a staged payload/native binary carrier rather than a publish block.
Evidence
package.jsoninstall.jsbin/morphy.jsREADME.mdbin/morphybin/morphy.exe
Network endpoints2
github.com/deadraid/morphy-releases/releases/download/v0.6.6/<platform-binary>github.com/deadraid/morphy-releases/releases/download/v0.6.6/sha256sums.txt
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node install.js
- install.js downloads a platform executable from GitHub releases during install
- install.js verifies sha256sums.txt from the same release source, not an independent trust root
- bin/morphy.js executes the downloaded bin/morphy or bin/morphy.exe with user arguments
- README advertises autonomous agent features including shell, file editing, MCP, server, and yolo modes
Evidence against
- No code writes Claude/Codex/Cursor/MCP config or other foreign AI-agent control surfaces
- Install writes only inside the package bin directory
- Network endpoints are package-aligned GitHub release URLs
- No credential/env harvesting or exfiltration logic in JS sources
- Dangerous agent capabilities appear runtime user-invoked, not install-time activated
Behavioral surface
ChildProcessCryptoFilesystemNetwork
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License