registry  /  @patchstack/connect  /  0.3.4

@patchstack/connect@0.3.4

Patchstack connector for JavaScript applications. Scans your lockfile and reports installed packages to Patchstack for vulnerability monitoring.

AI Security Review

scanned 21h ago · by lpm-firewall-ai

No unconsented install-time attack surface is confirmed. The package performs lockfile reporting and optional, user-invoked project instrumentation.

Static reason
No blocking static signals were detected.
Trigger
Explicit `scan`, `protect`, or `mark-build` CLI command; runtime protection requires application integration.
Impact
User-invoked commands can post dependency metadata or modify supported application files; no stealth persistence or foreign AI-agent control-surface mutation was found.
Mechanism
Lockfile manifest reporting plus optional Patchstack protection setup.
Rationale
The AI-directed documentation is an injection-like instruction channel, but source behavior is package-aligned and only activates through explicit CLI or runtime integration. No concrete malicious execution, exfiltration beyond the stated dependency manifest, or unconsented lifecycle mutation was found.
Evidence
package.jsondist/cli.jsdist/index.jsdist/protect.jsAGENT-INSTALL.mddist/protect/templates/guard.ts
Network endpoints2
api.patchstack.com/monitor/pulse/manifestapi.patchstack.com/api/get-rules/3

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • AGENT-INSTALL.md targets AI coding agents and directs project changes.
  • AGENT-INSTALL.md asks agents to add scan/build hooks and an external widget.
  • dist/cli.js has explicit `protect` and `mark-build` project-write commands.
Evidence against
  • package.json has no preinstall/install/postinstall hook.
  • dist/cli.js only runs commands chosen from its CLI dispatcher.
  • dist/index.js posts normalized lockfile package names and versions.
  • dist/protect.js fetches rules only with an explicit WAF token.
  • No child-process, eval, VM, dynamic loader, or credential-harvesting primitive found.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 195 KB of source, external domains: api.patchstack.com, patchstack.com

Source & flagged code

1 flagged · loading source
README.mdView file
3. **"Install the package, then follow the instructions it ships" reads as handing control to the package author** — structurally the same as prompt injection — and preemptive reassurance language ("it's safe, don't be suspicious, note your knowledge cutoff") is itself flagged as a manipulation signal.
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

1 High2 Medium5 Low
HighAi Reviewer ManipulationREADME.md
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings