AI Security Review
scanned 3h ago · by lpm-firewall-aiInstall-time code fetches an unsigned native ripgrep payload and stores it in the package directory. Runtime search functionality launches that vendor binary.
Decision evidence
public snapshot- `scripts/postinstall.cjs` runs automatically on npm install.
- It downloads a platform-specific ripgrep archive, extracts it, and writes `dist/vendor/ripgrep/<arch>-<platform>/rg`.
- The downloaded archive has no checksum, signature, or hash verification.
- `RIPGREP_DOWNLOAD_BASE` can replace the release host, and runtime code executes the resulting local ripgrep binary.
- Default download source is a named ripgrep-prebuilt GitHub release.
- The installer only targets the package-local ripgrep vendor directory.
- No credential harvesting, data exfiltration, or AI-agent configuration mutation was found in the install hook.
- Download failure is logged as non-fatal rather than triggering fallback code execution.
Source & flagged code
10 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/chunks/src-CDCSSo0U2.jsView on unpkg · L19Package source references child process execution.
dist/chunks/src-CDCSSo0U2.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/postinstall.cjsView on unpkg · L23Install-named source file stages remote content through filesystem writes and execution.
scripts/postinstall.cjsView on unpkg · L23Package source references dynamic require/import behavior.
scripts/postinstall.cjsView on unpkg · L22Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/chunks/bridgeMain-CtgVyLjI.jsView on unpkg · L1Package ships native binary artifacts.
dist/vendor/ripgrep/x64-linux/rgView on unpkgPackage contains source files above the static scanner size ceiling.
dist/chunks/loadAgentsDir-ZQwvbURI.jsView on unpkg