AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The explicit `deepkit-install` command modifies a locally resolved TypeScript compiler to register the package transformer; it is not install-time behavior and contains no observed exfiltration or remote execution.
Static reason
No blocking static signals were detected.
Trigger
User explicitly runs `deepkit-install`.
Impact
Changes local TypeScript compiler behavior only after user invocation.
Mechanism
Local TypeScript transformer registration by compiler-source patching.
Rationale
Direct inspection shows a user-invoked, package-aligned compiler patcher rather than concealed install-time or remote attack behavior. Static dynamic-require and eval signals do not establish a malicious chain.
Evidence
package.jsonbin/deepkit-install.cjsdist/index.mjsdist/transformer-9Qq95aUb.mjsdist/vendor/types-C3PrIcBl.mjs
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `bin/deepkit-install.cjs` can modify resolved TypeScript compiler files when explicitly run.
Evidence against
- `package.json` defines no lifecycle scripts, so installation does not invoke the binary.
- The binary is exposed as `deepkit-install`, requiring an explicit user command.
- Installer only patches `tsc.js`, `_tsc.js`, or `typescript.js` to register this package's transformer.
- No outbound network APIs, child-process execution, credential harvesting, or AI-agent config writes found in inspected code.
- The dynamic `require` in the injected patch resolves this package's local type compiler with a local-path fallback.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystem
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
2 flagged · loading sourcedist/vendor/types-C3PrIcBl.mjsView file
1233if (baseName === name) baseName += "Base";
L1234: return new Function(baseName, `return class ${name} extends ${baseName} {}`)(base);
L1235: }
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/vendor/types-C3PrIcBl.mjsView on unpkg · L1233bin/deepkit-install.cjsView file
1#!/usr/bin/env node
L2: let _storm_software_config_tools_logger = require("@storm-software/config-tools/logger");
L3: let node_fs = require("node:fs");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/deepkit-install.cjsView on unpkg · L1Findings
3 Medium4 Low
MediumDynamic Requirebin/deepkit-install.cjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvaldist/vendor/types-C3PrIcBl.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings