AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious payload was found in the shipped runtime code. The remaining risk is the package-level preinstall hook that runs npx force-resolutions during installation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install
Impact
unresolved install-time third-party code execution risk; no source-confirmed exfiltration or persistence
Mechanism
install lifecycle executes external npx tool
Rationale
The preinstall hook is a real install-time risk because it delegates execution to npx, but direct source inspection found no concrete malicious behavior in this package. Treat as a warning rather than a publish block.
Evidence
package.jsondist/index.jsdist/index.cjsdist/index.d.ts
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json has an install-time preinstall script: npx force-resolutions
- preinstall invokes an undeclared external npx tool for consumers during npm install
Evidence against
- dist/index.js and dist/index.cjs are browser payment-card UI/formatting code using DOM events, Luhn check, IIN lookup, CSS, and embedded image data
- No child_process, fs access, eval/Function, credential harvesting, beacon/fetch/XHR/WebSocket, or AI-agent control-surface writes found in package source
- Runtime code exports Card and only manipulates configured DOM elements and input attributes
- No obfuscated decoded strings or remote payload loader found
Behavioral surface
Minified
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = npx force-resolutions
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.preinstall = npx force-resolutions
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present