registry  /  @newrelic/preflight  /  1.5.1

@newrelic/preflight@1.5.1

New Relic MCP server for observing AI coding assistants (Claude Code, Cursor, Windsurf, Copilot, and more)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package can install first-party Claude Code hooks and optional user-approved macOS launchd scheduling through explicit CLI setup. Those hooks record AI-assistant telemetry locally and may forward configured telemetry to New Relic.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `preflight install` or interactive `preflight setup`; cloud forwarding requires non-local configuration.
Impact
Assistant activity metadata and configured telemetry can be collected; optional persistence can keep the package dashboard or updater active.
Mechanism
Explicit first-party AI-agent hook setup with optional telemetry export and opt-in persistence.
Rationale
Source establishes explicit, first-party assistant integration and optional persistence, not unconsented install-time hijacking. Treat as a warning for lifecycle risk rather than malicious blocking.
Evidence
package.jsondist/index.jsdist/hooks/collector-script.jsdist/install/cli.jsdist/install/setup-wizard.jsdist/install/json-utils.jsdist/security/ssrf.jsdist/config.jsdist/digest/digest-sender.js~/.claude/settings.json~/.mcp.json~/.newrelic-preflight~/Library/LaunchAgents/com.preflight.dashboard.plist
Network endpoints2
otlp.nr-data.nethooks.slack.com/

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/install/cli.js` exposes explicit install/uninstall commands that modify assistant settings.
  • `dist/install/setup-wizard.js` prompts before installing Claude hooks and optional macOS launchd persistence.
  • `dist/hooks/collector-script.js` collects hook metadata/transcript token usage into `~/.newrelic-preflight`.
  • `dist/index.js` starts New Relic ingest only in non-local configured modes.
  • `dist/config.js` defaults configured cloud telemetry to `https://otlp.nr-data.net`.
  • `dist/digest/digest-sender.js` can POST a user-supplied Slack digest to `hooks.slack.com`.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; its only lifecycle hook is `prepare: husky || true`.
  • Hook/config mutations are reached through explicit `preflight install` or interactive `setup`, not package import.
  • `dist/install/json-utils.js` rejects writes outside HOME, cwd, or an allowed storage base.
  • `dist/security/ssrf.js` blocks loopback, private, and cloud-metadata destinations.
  • `dist/hooks/collector-script.js` redacts common credential formats and defaults content recording off.
  • No eval/vm payload loading, covert exfiltration, or foreign broad agent-control mutation was confirmed.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 152 file(s), 2.33 MB of source, external domains: 127.0.0.1, api.eu.newrelic.com, api.newrelic.com, aws.github.io, bit.ly, docs.windsurf.com, git-scm.com, github.com, hooks.slack.com, insights-collector.newrelic.com, newrelic.com, one.newrelic.com, otlp.nr-data.net, react.dev, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/install/schedule.jsView file
1import { execFileSync } from 'node:child_process'; L2: import { writeFileSync, readFileSync, existsSync, statSync, accessSync, constants, unlinkSync, mkdirSync, } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/install/schedule.jsView on unpkg · L1
dist/install/platform.jsView file
75} L76: // Last resort: ask cmd.exe (requires WSL interop to be enabled). L77: // Pass the full command as one string after /c so cmd.exe expands %USERPROFILE%
High
Shell

Package source references shell execution.

dist/install/platform.jsView on unpkg · L75
dist/hooks/subagent-watcher.jsView file
95constructor(options = {}) { L96: this.storagePath = options.storagePath ?? join(homedir(), '.newrelic-preflight'); L97: this.projectsDir = options.projectsDir ?? join(homedir(), PROJECTS_DIR_NAME); L98: this.pollIntervalMs = options.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS; L99: const envHours = parseInt(process.env.NR_AI_WATCHER_DISCOVERY_HOURS ?? '', 10); L100: this.discoveryHours = ... L393: return; L394: const chunk = buf.subarray(0, actuallyRead).toString('utf-8'); L395: this.bytesRead += actuallyRead;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/hooks/subagent-watcher.jsView on unpkg · L95
dist/install/setup-wizard.jsView file
23try { L24: entryPoint = realpathSync(process.argv[1] ?? process.cwd()); L25: } ... L70: function print(msg = '') { L71: process.stdout.write(msg + '\n'); L72: } ... L75: try { L76: parsed = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8')); L77: } ... L171: if (mode !== 'local') { L172: const envAccountId = process.env.NEW_RELIC_ACCOUNT_ID?.trim() ?? ''; L173: const existingAccountId = typeof existing.accountId === 'string' ? existing.accountId : '';
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/install/setup-wizard.jsView on unpkg · L23
dist/security/ssrf.jsView file
1import { lookup as dnsLookup } from 'node:dns'; L2: const ALLOWED_SCHEMES = new Set(['http:', 'https:']); ... L12: const BLOCKED_METADATA_IPS = new Set(['100.100.100.200']); L13: // Matches loopback, RFC-1918 private ranges, link-local (169.254/16), and L14: // IPv4 multicast (224.0.0.0/4, i.e. 224–239.x.x.x).
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/security/ssrf.jsView on unpkg · L1
dist/install/cli.jsView file
396print(' To update, reinstall using your package manager, e.g.:'); L397: print(' npm install -g @newrelic/preflight@latest'); L398: print(' pnpm add -g @newrelic/preflight@latest'); ... L403: print('→ git pull'); L404: execFileSync('git', ['pull'], { cwd: repoRoot, stdio: 'inherit' }); L405: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install/cli.jsView on unpkg · L396
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @newrelic/preflight@1.4.44 matchedIdentity = npm:QG5ld3JlbGljL3ByZWZsaWdodA:1.4.44 similarity = 0.883 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/install/schedule.js
HighShelldist/install/platform.js
HighCloud Metadata Accessdist/security/ssrf.js
HighRuntime Package Installdist/install/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/install/setup-wizard.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/hooks/subagent-watcher.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings