AI Security Review
scanned 9h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a platform-specific Trumbo CLI binary with bundled webview assets and a first-party plugin sandbox used at runtime.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the trumbo CLI or uses Trumbo hub/plugin features.
Impact
Can run Trumbo CLI functionality and user-selected plugins; no unconsented install-time mutation or exfiltration found.
Mechanism
User-invoked native CLI and first-party plugin host loading.
Rationale
The risky primitives are package-aligned and activated by running the CLI or using Trumbo plugin/marketplace features, not by npm lifecycle hooks. Static inspection did not show credential theft, persistence, destructive behavior, or unconsented mutation of foreign AI-agent control surfaces.
Evidence
package.jsonbin/trumbo.exeextensions/plugin-sandbox-bootstrap.jshub/webview/index.htmlhub/webview/assets/extensions-view-D15eD0m6.jshub/webview/assets/mermaid-parser-BfrZ3jm6.jshub/webview/assets/jsx-Bz0zcwM4.js
Decision evidence
public snapshotAI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
- bin/trumbo.exe is a large PE32+ Windows x64 native CLI binary.
- extensions/plugin-sandbox-bootstrap.js can dynamically import pluginPaths and accept plugin tool/command/rule/MCP contributions when invoked by Trumbo.
- hub/webview/assets/extensions-view-D15eD0m6.js fetches relative /api/marketplace/catalog and offers user-driven install/uninstall actions.
Evidence against
- package.json has no preinstall/install/postinstall or other lifecycle scripts.
- package.json bin only maps trumbo to bin/trumbo.exe; execution is user-invoked.
- No package-time writes to Claude/Codex/Cursor/MCP foreign control surfaces found.
- Scanner hot JS files are bundled syntax/mermaid/webview assets; no exfiltration or persistence behavior confirmed.
- plugin-sandbox-bootstrap.js operates inside Trumbo's own plugin host namespace and IPC, not npm install time.
- No credential harvesting or concrete external exfiltration endpoint established from inspected source.
Behavioral surface
ChildProcessDynamicRequireFilesystemNetworkWebSocket
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcehub/webview/assets/jsx-Bz0zcwM4.jsView file
1var e=[Object.freeze(JSON.parse(`{"displayName":"JSX","name":"jsx","patterns":[{"include":"#directives"},{"include":"#statements"},{"include":"#shebang"}],"repository":{"access-mod...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
hub/webview/assets/jsx-Bz0zcwM4.jsView on unpkg · L1hub/webview/assets/mermaid-parser-BfrZ3jm6.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space)
\r \v \xA0 \u2028\u2029 <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
hub/webview/assets/mermaid-parser-BfrZ3jm6.jsView on unpkg · L46bin/trumbo.exeView file
•path = bin/trumbo.exe
kind = native_binary
sizeBytes = 135277056
magicHex = [redacted]
Medium
hub/webview/icon.icoView file
•path = hub/webview/icon.ico
kind = high_entropy_blob
sizeBytes = 40082
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
hub/webview/icon.icoView on unpkgFindings
1 Critical1 High5 Medium5 Low
CriticalTrojan Source Unicodehub/webview/assets/mermaid-parser-BfrZ3jm6.js
HighShips High Entropy Blobhub/webview/icon.ico
MediumDynamic Requirehub/webview/assets/jsx-Bz0zcwM4.js
MediumNetwork
MediumProtestware
MediumShips Native Binarybin/trumbo.exe
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License