AI Security Review
scanned 7d ago · by lpm-firewall-aiThe package is a thin npm wrapper that installs a native Morphy CLI binary at postinstall and runs it when the morphy command is invoked. This creates binary supply-chain risk but no confirmed malicious behavior in inspected JavaScript source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user invoking morphy runs bin/morphy.js
Impact
Installs and later executes an opaque native CLI binary, but inspected JS shows no exfiltration or control-surface hijack.
Mechanism
postinstall downloads checksummed platform binary; CLI wrapper execs it
Rationale
Static source inspection shows an install-time native binary downloader with checksum verification and a runtime wrapper, aligned with the package's CLI purpose. There is no concrete source evidence of malicious exfiltration, persistence, destructive behavior, or unconsented AI-agent control-surface mutation, so this should not be blocked.
Evidence
package.jsoninstall.jsbin/morphy.jsbin/morphybin/morphy.exe
Network endpoints3
github.com/deadraid/morphy-releases/releases/download/v0.6.8/{binaryName}github.com/deadraid/morphy-releases/releases/download/v0.6.8/sha256sums.txtgithub.com/deadraid/morphy-releases/releases/tag/v0.6.8
Decision evidence
public snapshotAI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines postinstall: node install.js
- install.js downloads a platform binary from GitHub releases and writes bin/morphy or bin/morphy.exe
- bin/morphy.js executes the downloaded native binary with user CLI args
Evidence against
- install.js uses package-aligned GitHub repo deadraid/morphy-releases and versioned v0.6.8 URLs
- install.js verifies downloaded binary against sha256sums.txt before chmod/execution wrapper use
- No source evidence of credential harvesting, env scraping, persistence, destructive actions, or AI-agent config mutation
- Network endpoints are limited to release asset and checksum download for the CLI binary
Behavioral surface
ChildProcessCryptoFilesystemNetwork
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License