AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malware payload or exfiltration was found. The remaining risk is an unguarded install-time lefthook installer that could mutate project Git hooks when lefthook/config is available.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install
Impact
possible consumer project .git/hooks mutation; no package-supplied hook payload observed
Mechanism
postinstall VCS hook installer invocation
Attack narrative
On install, npm runs package.json postinstall, which executes lefthook install and ignores failure. In this tarball lefthook is only a devDependency and no lefthook config or hook payload is published, so normal dependency install likely fails harmlessly. If a lefthook binary and config are available in the consumer context, the lifecycle hook may still install or rewrite Git hooks without explicit user action.
Rationale
Source inspection found benign runtime browser/React animation utilities and no exfiltration or remote-code behavior. The unguarded postinstall VCS hook installer is an install lifecycle risk but lacks a packaged malicious hook payload, so warn rather than block.
Evidence
package.jsondist/index.jsdist/react.jsdist/ease.jsdist/reduced-motion-CI-HcBrt.js.git/hooks
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json has install-time postinstall: lefthook install || true
- postinstall invokes a VCS hook installer from consumer install context
Evidence against
- Published files contain only dist, README.md, LICENSE, and package.json
- No lefthook config or package-supplied hook files found in tarball
- dist entrypoints implement browser animation/lifecycle utilities
- No network, credential access, child_process, eval, or filesystem APIs found in runtime dist
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = lefthook install || true
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = lefthook install || true
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present