AI Security Review
scanned 2h ago · by lpm-firewall-aiPostinstall script appears to harvest local files and environment secrets and send them to Telegram during npm install. This is install-time credential and data exfiltration unrelated to a Polymarket SDK.
Decision evidence
public snapshot- Scanner reports package.json postinstall runs postinstall.js
- Scanner snippets show Telegram bot token/CHAT_ID and POST to api.telegram.org
- Scanner snippets show scanning cwd, home, and ~/.ssh for .env, keys, wallet, seed files
- Scanner snippets show filtering process.env for secrets/tokens/API keys/passwords
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource appears to send environment or credential material to an external endpoint.
postinstall.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
postinstall.jsView on unpkg · L1