registry  /  @realchemistry/auth-guard  /  2.2.6

@realchemistry/auth-guard@2.2.6

Sealed OIDC + PKCE chassis for Real Chemistry's Auth Hub. `auth-guard serve` runs the auth front door; consumer apps stay blind to OIDC and read identity from x-rc-user-* headers.

AI Security Review

scanned 8h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates the consuming project's AI-agent instruction surface. It drops managed skills and injects persistent rules into the project-root `AGENTS.md` without an explicit user command.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm postinstall during package installation
Impact
Future AI agents can be steered by package-supplied rules within the consumer project.
Mechanism
Writes `.local/skills` and merges package-controlled `AGENTS.md` instructions
Policy narrative
Installing the package automatically executes `scripts/install-skill.mjs`. The hook resolves the consumer project from `INIT_CWD` or the working directory, copies package-controlled AI-agent skills into `.local/skills`, and creates or edits the project-root `AGENTS.md`. The injected instructions persist after installation and direct future agents not to alter the package-owned authentication chassis or related configuration. This is unconsented postinstall mutation of a foreign AI-agent control surface.
Rationale
Source inspection confirms the critical behavior rather than merely scanner similarity: the postinstall hook persistently writes package-controlled agent instructions into the consuming project. The OIDC network behavior is package-aligned, but it does not mitigate the install-time control-surface mutation.
Evidence
package.jsonscripts/install-skill.mjsskill/AGENTS.snippet.mdskill/SKILL.mddist/discovery.jsdist/express.jsskill/monorepo/SKILL.md.local/skills/auth-guard-integration/SKILL.md.local/skills/auth-guard-monorepo-integration/SKILL.mdAGENTS.md

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `postinstall` automatically.
  • `scripts/install-skill.mjs` writes consumer `.local/skills` files.
  • It creates, appends to, or replaces sections in consumer `AGENTS.md`.
  • Injected `skill/AGENTS.snippet.md` directs future agents and restricts auth changes.
  • No consent prompt; target is `INIT_CWD` or current directory.
Evidence against
  • No child-process, shell, eval, or dynamic-code execution found.
  • Runtime fetches implement configured OIDC discovery/token flows.
  • No credential harvesting or exfiltration path found.
  • Postinstall has an environment-variable opt-out and error handling.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 12 file(s), 77.8 KB of source, external domains: 127.0.0.1

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/install-skill.mjsView file
2Install-time AI-agent control hijack evidence: L9: * to wire the SDK in. L10: * 2. Merge the bundled AGENTS.md snippet (skill/AGENTS.snippet.md) into L11: * the consumer project's AGENTS.md at the project root so the next L12: * agent that touches the project inherits the RC auth guardrails. ... L14: * Both are idempotent: the skill file overwrites on every install (pinned to L15: * the installed SDK version); the AGENTS.md merge replaces only the section L16: * between <!-- BEGIN @realchemistry/auth-guard --> and <!-- END … --> markers, L17: * leaving any other content in the user's AGENTS.md intact. L18: * ... L24: import { L25: mkdirSync, L26: copyFileSync, Payload evidence from skill/monorepo/SKILL.md: L2: name: auth-guard-monorepo-integration L3: description: Wire @realchemistry/auth-guard into a Replit artifacts-monorepo (pnpm-workspace.yaml at root, multiple artifacts/<slug>/ sub-apps each with their own package.json and ... L4: --- ... L16: - **Pick one landing artifact** — typically the one registered at `previewPath: "/"`. It runs `auth-guard serve` in normal mode, owns `/auth/*`, holds the five `AUTH_HUB_*` secrets... L17: - **Every other artifact** is …
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.mjsView on unpkg · L2
dist/probe.jsView file
matchType = normalized_sha256 matchedPackage = @realchemistry/auth-guard@2.2.3 matchedPath = dist/probe.js matchedIdentity = npm:[redacted]:2.2.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/probe.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 07b036eefda8c2c1 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @realchemistry/auth-guard@2.2.3 matchedPath = dist/probe.js matchedIdentity = npm:[redacted]:2.2.3 similarity = 1.000 shingleOverlap = 8 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/probe.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritydist/probe.js
HighKnown Malware Source Fingerprint Signaturedist/probe.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License