AI Security Review
scanned 15d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package exposes user-invoked notifier helpers for Lark and Telegram, with a noisy but non-malicious postinstall command.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime functions run when called by the importing application.
Impact
Can send messages or upload caller-provided files to configured Lark/Telegram destinations when invoked by user code.
Mechanism
messaging API wrapper with env-configured credentials
Rationale
Static inspection shows a notifier library whose network and environment-variable use matches its documented Lark/Telegram purpose. The postinstall lifecycle script is poor packaging hygiene but does not show malware behavior in this source tree.
Evidence
package.jsonlib/index.jslib/lark/index.jslib/lark/helper.jslib/telegram/index.jsREADME.md
Network endpoints2
api.telegram.org/bot${token}/sendMessageprocess.env.LARK_WEBHOOK_URL
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines postinstall: bun outdated, causing install-time command execution.
- Runtime messaging code reads LARK_* and TELEGRAM_* environment variables.
- lib/lark/index.js uploadImage reads a caller-supplied file path before uploading to Lark.
Evidence against
- lib/index.js only re-exports Lark and Telegram helper APIs; no import-time payload observed.
- Network use is package-aligned messaging: Telegram sendMessage, Lark SDK, and Lark webhook URL from env.
- No child_process, eval, dynamic require/import, persistence, destructive writes, credential harvesting, or reviewer/prompt manipulation found.
- README.md documents Lark and Telegram notifier purpose and required environment variables.
- postinstall command is bun outdated, not a custom downloader/dropper or exfiltration script.
Behavioral surface
EnvironmentVarsFilesystemNetwork
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bun outdated
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bun outdated
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License