registry  /  @trumbodev/cli-windows-arm64  /  3.0.38

@trumbodev/cli-windows-arm64@3.0.38

Trumbo CLI binary for windows arm64

AI Security Review

scanned 7h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. The package ships a native CLI and bundled Trumbo Hub/plugin UI with user-invoked extension and marketplace management.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
explicit trumbo CLI execution
Impact
package-aligned CLI/plugin behavior; no confirmed credential theft, persistence, destructive action, or foreign AI-agent control hijack
Mechanism
native CLI binary with local webview assets and plugin sandbox
Rationale
The risky primitives are consistent with a platform CLI that runs only when invoked and manages its own Trumbo plugins/skills/MCP UI; there are no lifecycle hooks or unconsented writes to foreign agent control surfaces. Native binary opacity remains a residual packaging risk, but inspected manifest, bundled JS, and strings do not establish malicious behavior.
Evidence
package.jsonbin/trumbo.exeextensions/plugin-sandbox-bootstrap.jshub/webview/index.htmlhub/webview/assets/extensions-view-D15eD0m6.jshub/webview/assets/mermaid-parser-BfrZ3jm6.jshub/webview/assets/jsx-Bz0zcwM4.js
Network endpoints5
registry.npmjs.orgapi.github.comgithub.comregistry.npmjs.org/bun-examples-all/latest/api/marketplace/catalog

Decision evidence

public snapshot
AI called this Clean at 78.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; only bin maps trumbo to bin/trumbo.exe.
    • bin/trumbo.exe is a Windows ARM64 PE binary, activated by explicit CLI execution.
    • extensions/plugin-sandbox-bootstrap.js loads user-specified Trumbo plugins and registers package-aligned tools/rules/MCP contributions.
    • hub/webview/index.html only loads bundled local assets for Trumbo Hub UI.
    • Marketplace/MCP/skill/plugin code in hub/webview/assets/extensions-view-D15eD0m6.js is user-driven UI, not install-time mutation.
    • Scanner dynamic require/network hits are bundled syntax grammars, Mermaid/LSP code, Bun runtime strings, and local app API calls.
    Behavioral surface
    Source
    ChildProcessDynamicRequireFilesystemNetworkWebSocket
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
    Manifest
    NoLicense
    scanned 125 file(s), 5.69 MB of source, external domains: 0.0.0.0, api.example.com, base-ui.com, chevrotain.io, en.wikipedia.org, example.com, github.com, langium.org, models.dev, radix-ui.com, react.dev, www.ibm.com, www.w3.org

    Source & flagged code

    4 flagged · loading source
    hub/webview/assets/jsx-Bz0zcwM4.jsView file
    1var e=[Object.freeze(JSON.parse(`{"displayName":"JSX","name":"jsx","patterns":[{"include":"#directives"},{"include":"#statements"},{"include":"#shebang"}],"repository":{"access-mod...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    hub/webview/assets/jsx-Bz0zcwM4.jsView on unpkg · L1
    hub/webview/assets/mermaid-parser-BfrZ3jm6.jsView file
    46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    hub/webview/assets/mermaid-parser-BfrZ3jm6.jsView on unpkg · L46
    bin/trumbo.exeView file
    path = bin/trumbo.exe kind = native_binary sizeBytes = 132017152 magicHex = [redacted]
    Medium
    Ships Native Binary

    Package ships native binary artifacts.

    bin/trumbo.exeView on unpkg
    hub/webview/icon.icoView file
    path = hub/webview/icon.ico kind = high_entropy_blob sizeBytes = 40082 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    hub/webview/icon.icoView on unpkg

    Findings

    1 Critical1 High5 Medium5 Low
    CriticalTrojan Source Unicodehub/webview/assets/mermaid-parser-BfrZ3jm6.js
    HighShips High Entropy Blobhub/webview/icon.ico
    MediumDynamic Requirehub/webview/assets/jsx-Bz0zcwM4.js
    MediumNetwork
    MediumProtestware
    MediumShips Native Binarybin/trumbo.exe
    MediumStructural Risk Force Deep Review
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License