AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed attack surface is established by source inspection. The only suspicious behavior is a package.json postinstall hook pointing to a missing file, which would fail rather than execute payload code in this extracted package.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
No malicious payload confirmed; likely install failure or broken package behavior.
Mechanism
missing lifecycle script target
Rationale
Static inspection found an install-time hook, but the referenced postinstall.js is not present and the only runtime entrypoint is an empty export. With no payload, network, credential access, filesystem mutation, or agent control-surface writes, the scanner lifecycle finding is not enough to mark malicious.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node postinstall.js
- postinstall.js is referenced but absent from extracted package
Evidence against
- Only package files present are package.json and index.js
- index.js contains only module.exports={}
- No credential/env/file harvesting found
- No network endpoints found
- No child_process/eval/dynamic loading/native binary code found
- No AI-agent config or control-surface writes found
Behavioral surface
Trivial
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowNo License