registry  /  @txpipe/dolos  /  1.5.0

@txpipe/dolos@1.5.0

A Cardano data-node built in Rust

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Installation downloads and extracts a platform-specific release artifact into the package directory. The artifact is not checksum- or signature-verified, and the CLI later executes it.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` downloads the artifact; invoking `dolos` executes it.
Impact
A compromised or replaced release artifact could execute with the installing user's privileges when the CLI is run.
Mechanism
Remote native-binary download, extraction, and CLI execution.
Rationale
This is a package-aligned native binary installer, not concrete malicious behavior. However, it is an install-time carrier for an unverified remote executable, leaving a real unresolved staged-payload risk.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-dolos.jsnode_modules/.bin_real
Network endpoints1
github.com/txpipe/dolos/releases/download/v1.5.0

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `node ./install.js` at postinstall.
  • `binary.js` builds release URLs from the GitHub release base.
  • `binary-install.js` streams and extracts an unsigned remote archive.
  • `run-dolos.js` launches the extracted `dolos` executable.
Evidence against
  • Only configured endpoint is the package-aligned TxPipe GitHub release URL.
  • Platform names and executable paths are fixed by `package.json`.
  • No source reads credentials, environment variables, home directories, or agent settings.
  • No eval, dynamic module loading, foreign config mutation, or exfiltration is present.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 10.0 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings