AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time code downloads an unsigned native executable and stores it inside the package. The configurable download base leaves a remote payload-substitution risk, but no concrete malicious action was confirmed.
Decision evidence
public snapshot- `scripts/postinstall.cjs` runs automatically on install.
- It downloads a platform-native ripgrep archive over HTTPS.
- `RIPGREP_DOWNLOAD_BASE` can replace the release host.
- Downloaded archive is extracted as executable `rg` without checksum verification.
- Writes are limited to the package's `dist/vendor/ripgrep` directory.
- The installer labels the payload as ripgrep 15.0.1 and skips an existing binary.
- No credential harvesting, external config mutation, or data exfiltration was found in inspected lifecycle code.
- The flagged bidi control scan is not confirmed in `dist/chunks/src-CDCSSo0U2.js`.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/chunks/src-CDCSSo0U2.jsView on unpkg · L19Package source references child process execution.
dist/chunks/src-CDCSSo0U2.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/postinstall.cjsView on unpkg · L23Install-named source file stages remote content through filesystem writes and execution.
scripts/postinstall.cjsView on unpkg · L23Package source references dynamic require/import behavior.
scripts/postinstall.cjsView on unpkg · L22This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunks/bridgeMain-BppY0KW3.jsView on unpkgSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/chunks/bridgeMain-BppY0KW3.jsView on unpkg · L1Package ships native binary artifacts.
dist/vendor/ripgrep/x64-linux/rgView on unpkgPackage contains source files above the static scanner size ceiling.
dist/chunks/loadAgentsDir-BURvZNN6.jsView on unpkg