AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is present in the shipped source. The only install-time hook points to a missing file, making the package broken/suspiciously packaged but not a payload carrier in this tarball.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install attempts postinstall; runtime import loads empty index.js
Impact
install failure, no observed exfiltration or code execution payload
Mechanism
missing lifecycle script target and empty module export
Rationale
Static inspection found a postinstall hook, but the referenced postinstall.js is not shipped and the only entrypoint is an empty export. With no executable payload, network endpoint, credential access, or filesystem mutation, this is not malicious source behavior.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node postinstall.js
- postinstall.js is absent from package file list, so install would fail rather than run reviewed payload
Evidence against
- index.js only contains module.exports={}
- Package contains only package.json and index.js
- No network, child_process, eval, env access, file writes, native binaries, or encoded payloads found
- No AI-agent control-surface writes or persistence logic found
Behavioral surface
Trivial
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowNo License