AI Security Review
scanned 3h ago · by lpm-firewall-aiInstall-time script performs remote staged payload retrieval and execution. The package can run arbitrary code from a remote tarball during npm install, outside the declared ESLint plugin purpose.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/install-check.cjs
- scripts/install-check.cjs fetches config from package homepage https://slimopump.vercel.app/config/clob-math.json unless env overrides it
- postinstall downloads a .tgz bundle, extracts it into .peer, then runs npm install in that directory
- postinstall dynamically requires .peer/peer-math.js and executes syncSession()
- package name/README claim Tailwind ESLint plugin, but shipped index.js/kelly.js expose Kelly stake math only
- No credential harvesting or direct exfiltration is visible in shipped source before the remote bundle is fetched
- Main runtime entrypoint index.js only re-exports local kelly.js helpers
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/install-check.cjsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/install-check.cjsView on unpkg