registry  /  @newrelic/preflight  /  1.4.1

@newrelic/preflight@1.4.1

New Relic MCP server for observing AI coding assistants (Claude Code, Cursor, Windsurf, Copilot, and more)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package explicitly installs a New Relic-owned Claude Code MCP server and hooks for AI observability, which is an agent-extension lifecycle risk but user-invoked and package-aligned.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `preflight install`, `preflight setup`, `preflight schedule`, or starts the MCP/hook binaries.
Impact
Can observe AI tool metadata and optionally redacted tool content, persist local dashboard/update launchd jobs, and send telemetry to configured New Relic endpoints.
Mechanism
Explicit Claude Code hook/MCP setup plus local telemetry buffering and New Relic export.
Rationale
Static inspection shows explicit, package-aligned setup of New Relic Preflight hooks/MCP integration rather than unconsented install-time mutation or malware. Because it writes AI-agent control-surface config and optional launchd persistence when invoked by the user, warn rather than block.
Evidence
package.jsondist/install/cli.jsdist/install/install-helper.jsdist/install/schedule.jsdist/hooks/collector-script.jsdist/install/key-validator.jsdist/config.js~/.claude/settings.json~/.mcp.json~/.newrelic-preflight/config.json~/.newrelic-preflight/buffer-{sessionId}.jsonl~/.newrelic-preflight/session-by-ppid/{pid}.txt~/Library/LaunchAgents/com.preflight.update.plist~/Library/LaunchAgents/com.preflight.dashboard.plist
Network endpoints6
insights-collector.newrelic.com/v1/accounts/{accountId}/eventsinsights-collector.eu01.nr-data.net/v1/accounts/{accountId}/eventsgov-insights-collector.newrelic.com/v1/accounts/{accountId}/eventsapi.newrelic.com/graphqlapi.eu.newrelic.com/graphql{host}:{port}/api/health

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/install/cli.js user-invoked `preflight install` writes Claude Code hooks and MCP config.
  • dist/install/install-helper.js adds PreToolUse/PostToolUse commands invoking `preflight-collector`.
  • dist/install/schedule.js can install macOS launchd auto-update/dashboard plists via explicit schedule/setup flows.
  • dist/hooks/collector-script.js records Claude Code tool metadata and optional redacted content to local JSONL buffers.
Evidence against
  • package.json has only `prepare: husky || true`; no npm install/postinstall hook mutates user config.
  • Hook/MCP mutation is behind explicit CLI commands, not import-time or install-time execution.
  • Network endpoints are New Relic ingest/NerdGraph and local dashboard health checks, aligned with package purpose.
  • Collector defaults avoid full content capture unless `NEW_RELIC_AI_MCP_RECORD_CONTENT=true` and includes redaction patterns.
  • No remote payload download/execute, credential harvesting beyond user-provided New Relic keys, or stealth persistence found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 145 file(s), 2.06 MB of source, external domains: 127.0.0.1, api.eu.newrelic.com, api.newrelic.com, bit.ly, git-scm.com, github.com, hooks.slack.com, insights-collector.newrelic.com, newrelic.com, one.newrelic.com, otlp.nr-data.net, react.dev, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/install/schedule.jsView file
1import { execFileSync } from 'node:child_process'; L2: import { writeFileSync, readFileSync, existsSync, statSync, accessSync, constants, unlinkSync, mkdirSync, } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/install/schedule.jsView on unpkg · L1
dist/install/platform.jsView file
75} L76: // Last resort: ask cmd.exe (requires WSL interop to be enabled). L77: // Pass the full command as one string after /c so cmd.exe expands %USERPROFILE%
High
Shell

Package source references shell execution.

dist/install/platform.jsView on unpkg · L75
dist/install/setup-wizard.jsView file
22try { L23: entryPoint = realpathSync(process.argv[1] ?? process.cwd()); L24: } ... L69: function print(msg = '') { L70: process.stdout.write(msg + '\n'); L71: } ... L74: try { L75: parsed = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8')); L76: } ... L170: if (mode !== 'local') { L171: const envAccountId = process.env.NEW_RELIC_ACCOUNT_ID?.trim() ?? ''; L172: const existingAccountId = typeof existing.accountId === 'string' ? existing.accountId : '';
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/install/setup-wizard.jsView on unpkg · L22
dist/install/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @newrelic/preflight@1.3.0 matchedIdentity = npm:QG5ld3JlbGljL3ByZWZsaWdodA:1.3.0 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/install/cli.jsView on unpkg
335try { L336: gitRoot = execFileSync('git', ['-C', repoRoot, 'rev-parse', '--show-toplevel'], { L337: stdio: 'pipe', L338: env: { ...process.env, GIT_DIR: undefined, GIT_WORK_TREE: undefined }, L339: }) ... L345: print('✗ git is not installed or not found on PATH.'); L346: print(' Install git (https://git-scm.com) then retry: preflight update'); L347: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/install/cli.jsView on unpkg · L335
362print(' To update, reinstall using your package manager, e.g.:'); L363: print(' npm install -g @newrelic/preflight@latest'); L364: print(' pnpm add -g @newrelic/preflight@latest'); ... L369: print('→ git pull'); L370: execFileSync('git', ['pull'], { cwd: repoRoot, stdio: 'inherit' }); L371: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install/cli.jsView on unpkg · L362

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/install/cli.js
HighChild Processdist/install/schedule.js
HighShelldist/install/platform.js
HighSame File Env Network Executiondist/install/cli.js
HighRuntime Package Installdist/install/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/install/setup-wizard.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings