registry  /  @runewolf/phase-poc  /  0.0.5

@runewolf/phase-poc@0.0.5

The lifecycle-aware performance layer for the web. Know when to animate, when to render, and when to pause

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malware payload or exfiltration was found. The remaining risk is an unguarded install-time lefthook installer that could mutate project Git hooks when lefthook/config is available.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install
Impact
possible consumer project .git/hooks mutation; no package-supplied hook payload observed
Mechanism
postinstall VCS hook installer invocation
Attack narrative
On install, npm runs package.json postinstall, which executes lefthook install and ignores failure. In this tarball lefthook is only a devDependency and no lefthook config or hook payload is published, so normal dependency install likely fails harmlessly. If a lefthook binary and config are available in the consumer context, the lifecycle hook may still install or rewrite Git hooks without explicit user action.
Rationale
Source inspection found benign runtime browser/React animation utilities and no exfiltration or remote-code behavior. The unguarded postinstall VCS hook installer is an install lifecycle risk but lacks a packaged malicious hook payload, so warn rather than block.
Evidence
package.jsondist/index.jsdist/react.jsdist/ease.jsdist/reduced-motion-CI-HcBrt.js.git/hooks

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json has install-time postinstall: lefthook install || true
  • postinstall invokes a VCS hook installer from consumer install context
Evidence against
  • Published files contain only dist, README.md, LICENSE, and package.json
  • No lefthook config or package-supplied hook files found in tarball
  • dist entrypoints implement browser animation/lifecycle utilities
  • No network, credential access, child_process, eval, or filesystem APIs found in runtime dist
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 60.8 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = lefthook install || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = lefthook install || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present