registry  /  @newrelic/preflight  /  1.0.8

@newrelic/preflight@1.0.8

New Relic MCP server for observing AI coding assistants (Claude Code, Cursor, Windsurf, Copilot, and more)

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI-assistant observability CLI/MCP server with explicit setup commands that install hooks, store local telemetry, and optionally send telemetry to New Relic.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `preflight install`, `preflight setup`, `preflight schedule`, `preflight --stdio`, or the `preflight-collector` hook.
Impact
Collects AI tool/session metadata and optional content for observability; no unconsented install-time execution or covert exfiltration found.
Mechanism
User-consented observability hooks, local buffering, and New Relic telemetry export
Rationale
Static inspection found powerful hook, file-write, child-process, scheduling, and telemetry behavior, but it is tied to explicit CLI setup/runtime observability features for New Relic Preflight rather than covert lifecycle execution. No credential harvesting, hidden payload, destructive action, or unconsented AI-agent control-surface mutation was confirmed.
Evidence
package.jsondist/index.jsdist/install/cli.jsdist/install/install-helper.jsdist/install/schedule.jsdist/hooks/collector-script.jsdist/shared/transport/http-client.jsdist/tools/cross-session-tools.js~/.claude/settings.json~/.mcp.json~/.newrelic-preflight/config.json~/.newrelic-preflight/buffer-{sessionId}.jsonl~/Library/LaunchAgents/com.preflight.update.plist~/Library/LaunchAgents/com.preflight.dashboard.plist
Network endpoints12
insights-collector.newrelic.com/v1/accounts/{accountId}/eventsinsights-collector.eu01.nr-data.net/v1/accounts/{accountId}/eventsgov-insights-collector.newrelic.com/v1/accounts/{accountId}/eventsmetric-api.newrelic.com/metric/v1metric-api.eu.newrelic.com/metric/v1gov-metric-api.newrelic.com/metric/v1log-api.newrelic.com/log/v1log-api.eu.newrelic.com/log/v1gov-log-api.newrelic.com/log/v1api.newrelic.com/graphqlapi.eu.newrelic.com/graphqlhooks.slack.com/

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • User-invoked `preflight install` writes Claude Code hooks and MCP config via dist/install/cli.js and dist/install/install-helper.js.
  • User-invoked schedule/setup can write macOS LaunchAgent plists via dist/install/schedule.js.
  • Runtime collector reads Claude hook stdin/transcripts and writes local JSONL telemetry buffers in dist/hooks/collector-script.js.
  • Configured cloud mode sends telemetry to New Relic ingest endpoints in dist/shared/transport/http-client.js.
Evidence against
  • package.json lifecycle hook is only `prepare: husky || true`; no install-time package execution path observed.
  • dist/index.js dispatches install/setup/schedule/update only as explicit CLI subcommands, not on import.
  • Hook/MCP config mutation is package-aligned observability setup and removable via uninstall paths.
  • Collector defaults avoid full content capture unless env/config enables it, applies redaction, and writes local buffers.
  • Network endpoints are New Relic or user-provided collector/Slack webhook URLs tied to documented observability/digest features.
  • Child process use is bounded to git/update, launchctl scheduling, WSL path resolution, or OS notification helpers.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 142 file(s), 2.02 MB of source, external domains: 127.0.0.1, api.eu.newrelic.com, api.newrelic.com, bit.ly, git-scm.com, github.com, hooks.slack.com, insights-collector.newrelic.com, newrelic.com, one.newrelic.com, otlp.nr-data.net, react.dev, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist/install/schedule.jsView file
1import { execFileSync } from 'node:child_process'; L2: import { writeFileSync, readFileSync, existsSync, statSync, accessSync, constants, unlinkSync, mkdirSync, } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/install/schedule.jsView on unpkg · L1
dist/install/platform.jsView file
75} L76: // Last resort: ask cmd.exe (requires WSL interop to be enabled). L77: // Pass the full command as one string after /c so cmd.exe expands %USERPROFILE%
High
Shell

Package source references shell execution.

dist/install/platform.jsView on unpkg · L75
dist/install/setup-wizard.jsView file
22try { L23: entryPoint = realpathSync(process.argv[1] ?? process.cwd()); L24: } ... L69: function print(msg = '') { L70: process.stdout.write(msg + '\n'); L71: } ... L74: try { L75: parsed = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8')); L76: } ... L170: if (mode !== 'local') { L171: const envAccountId = process.env.NEW_RELIC_ACCOUNT_ID?.trim() ?? ''; L172: const existingAccountId = typeof existing.accountId === 'string' ? existing.accountId : '';
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/install/setup-wizard.jsView on unpkg · L22
dist/install/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @newrelic/preflight@1.0.7 matchedIdentity = npm:QG5ld3JlbGljL3ByZWZsaWdodA:1.0.7 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/install/cli.jsView on unpkg
182print(' To update, reinstall using your package manager, e.g.:'); L183: print(' npm install -g @newrelic/preflight@latest'); L184: print(' pnpm add -g @newrelic/preflight@latest'); ... L189: print('→ git pull'); L190: execFileSync('git', ['pull'], { cwd: repoRoot, stdio: 'inherit' }); L191: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install/cli.jsView on unpkg · L182

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/install/cli.js
HighChild Processdist/install/schedule.js
HighShelldist/install/platform.js
HighRuntime Package Installdist/install/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/install/setup-wizard.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings