registry  /  @youdie006/swapdex  /  0.1.0

@youdie006/swapdex@0.1.0

Switch between multiple Claude Code and Codex login accounts, locally and safely.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package is a lifecycle downloader for a native binary that is not present in the npm tarball. The reviewed JS does not prove malicious behavior, but the installed executable is fetched without integrity verification and later executed by the CLI shim.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes swapdex
Impact
Unverified release binary can execute with the user's privileges when swapdex is invoked
Mechanism
postinstall remote binary download and CLI execution shim
Attack narrative
On install, install.js selects the current OS/CPU target, downloads a tar.gz from the package author's GitHub release, extracts it into bin/, makes bin/swapdex executable, and removes the temporary archive. The npm CLI entrypoint then executes that downloaded binary. No direct exfiltration or malicious JS behavior is visible, but the binary payload is outside the npm source and lacks integrity verification.
Rationale
Static inspection confirms an unverified install-time remote binary fetch and execution path, which is real unresolved supply-chain risk but not concrete proof of malicious intent. Marking warn is appropriate rather than publish block because the behavior is package-aligned and no credential theft, persistence, or destructive code is present in inspected source.
Evidence
package.jsoninstall.jsbin/swapdex.jsbin/swapdex
Network endpoints1
github.com/youdie006/swapdex/releases/download/v0.1.0/swapdex-${target}.tar.gz

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node install.js
  • install.js downloads a platform tar.gz from GitHub releases during install
  • install.js extracts archive with tar into bin/ and chmods bin/swapdex executable
  • bin/swapdex.js runs the downloaded bin/swapdex with forwarded argv/stdio
  • No checksum, signature, or pinned integrity validation for the downloaded binary
Evidence against
  • Remote URL is package-aligned to github.com/youdie006/swapdex releases
  • JS source shows no env/credential harvesting or exfiltration logic
  • No obfuscation, eval/vm/Function, persistence, or destructive behavior found in package JS
  • Network use is limited to release download in install.js
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.12 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings