AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface is present in this package's own source. The only install-time surface is a postinstall command delegated to @threadplane/telemetry via a wildcard dependency.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall
Impact
Unresolved dependency-provided install-time telemetry command; no source evidence here of exfiltration, persistence, destructive behavior, or AI-agent control mutation.
Mechanism
delegated telemetry postinstall plus Angular runtime rendering library
Rationale
Static inspection shows a normal Angular rendering library and no local malicious code, but the postinstall hook delegates to a wildcard telemetry dependency outside this package. That unresolved install-time behavior warrants a warning rather than a publish block for @threadplane/render@0.0.56 itself.
Evidence
package.jsonfesm2022/threadplane-render.mjstypes/threadplane-render.d.tsREADME.md
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json declares postinstall: threadplane-telemetry-postinstall || true.
- package.json depends on @threadplane/telemetry: *, so install-time behavior is delegated to a dependency not present in this package.
Evidence against
- package.json has no bin field and package files contain no local postinstall executable.
- fesm2022/threadplane-render.mjs imports only Angular, Angular common, and @json-render/core.
- fesm2022/threadplane-render.mjs implements Angular render components/providers, registry helpers, state store, and event handling.
- rg found no child_process, fs access, eval/Function, dynamic require/import, fetch/XMLHttpRequest/WebSocket, credential harvesting, or network endpoints in source.
- README.md describes normal Angular render-engine usage and install instructions.
Behavioral surface
WildcardDependency
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = threadplane-telemetry-postinstall || true
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = threadplane-telemetry-postinstall || true
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumWildcard Dependency
LowScripts Present