AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The install hook is a conventional binary downloader for a CLI package, with package-aligned GitHub release URLs and local binary/symlink setup.
Decision evidence
public snapshot- package.json defines postinstall: node install.js.
- install.js downloads a release tarball from github.com/apteva/apteva and extracts it with tar during install.
- install.js falls back to execSync('go build -o apteva .') in package dir, but package files list contains no Go source.
- Only package files are package.json, cli.js, install.js, README.md; no hidden payload files found by rg --files.
- install.js network endpoint is package-aligned GitHub releases for apteva/apteva v0.24.13.
- install.js writes binaries/tarball under ~/.apteva and package install dir for CLI setup; no credential/env harvesting or exfiltration observed.
- cli.js only resolves installed apteva/apteva-server/apteva-core binaries and spawnSyncs apteva with user CLI args.
- No eval/vm/Function, obfuscation, persistence beyond CLI symlinks, destructive behavior, or AI-agent control-surface writes found.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
install.jsView on unpkg · L27