AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time code retrieves an opaque platform-native executable, writes it under this package's `vendor/` directory, and marks it executable. The inspected JavaScript does not establish malicious behavior inside that binary.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall, or first `rein` CLI invocation after an ignored/failed install script
Impact
A release-hosted native payload executes when the user runs `rein`; its contents are not present for static source inspection.
Mechanism
remote native payload download, extraction, and execution launcher
Rationale
The package is not proven malicious by its JavaScript source, but it automatically installs an opaque executable payload whose integrity check is not independently anchored. Treat it as a staged payload carrier pending native-binary inspection.
Evidence
package.jsonscripts/postinstall.mjsbin/rein.jsREADME.mdvendor/vendor/reinvendor/spawn-helpervendor/.rein-managed-by
Network endpoints2
github.com/rein-industries/rein/releases/download/v<version>/SHA256SUMSgithub.com/rein-industries/rein/releases/download/v<version>/rein-<platform>.tar.gz
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` runs `postinstall`.
- `scripts/postinstall.mjs` downloads and extracts a native tarball.
- Downloaded `vendor/rein` is made executable.
- Checksum file and binary come from the same release endpoint.
- `REINS_RELEASE_BASE` can redirect download source.
Evidence against
- No credential, environment, or local-file harvesting found.
- No source evidence of exfiltration or destructive actions.
- No AI-agent config/control-surface writes found.
- `bin/rein.js` executes the binary only when the CLI is invoked.
- Downloader is version-pinned by default and verifies SHA-256.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License