registry  /  @runewolf/phase-poc  /  0.0.6

@runewolf/phase-poc@0.0.6

The lifecycle-aware performance layer for the web. Know when to animate, when to render, and when to pause

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A postinstall lifecycle hook attempts to run lefthook installation, which can modify Git hooks if applicable. No malicious runtime payload, exfiltration, or agent control-surface mutation was found in the shipped library code.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
possible VCS hook mutation; no shipped hook payload confirmed
Mechanism
install-time lefthook install command
Attack narrative
On installation, npm runs package.json postinstall, which invokes lefthook install and suppresses failure. That can create or update Git hooks in environments where lefthook and config are available, but this tarball does not include a lefthook config or hook payload, and the runtime dist files are package-aligned animation/React utilities without exfiltration or code execution behavior.
Rationale
The only concrete risk is an unnecessary install-time hook installer; source inspection did not find malware behavior in published runtime files. This warrants a warning for lifecycle hook abuse risk rather than a publish block.
Evidence
package.jsondist/index.jsdist/ease.jsdist/react.jsdist/reduced-motion-CI-HcBrt.js.git/hooks

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: "lefthook install || true", an install-time command intended to install VCS hooks.
  • The published files contain no lefthook config, making the lifecycle hook unnecessary for the runtime library.
Evidence against
  • Published entrypoints are dist/index.js, dist/ease.js, and dist/react.js; inspected code is browser/React animation lifecycle utilities.
  • No fetch/XMLHttpRequest/WebSocket/sendBeacon, child_process, eval/Function, fs writes, credential reads, or AI-agent control-surface writes found in package.json or dist JS files.
  • package.json files list only dist, LICENSE, and README.md; no hidden payload or hook config files were present.
  • Network references are limited to repository/readme links, not runtime endpoints.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 60.9 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = lefthook install || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = lefthook install || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present