AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a thin npm launcher that installs and runs package-aligned native binaries from the project's GitHub releases.
Decision evidence
public snapshot- package.json defines postinstall: node install.js
- install.js downloads a platform tarball from github.com/apteva/apteva releases and extracts it with tar
- install.js writes binaries/symlinks under APTEVA_HOME or ~/.apteva and copies fallback binaries into the package dir
- cli.js spawns the resolved apteva binary with inherited stdio/env
- Network use is limited to package-aligned GitHub release download URL derived from apteva/apteva and package version
- No credential, token, npmrc, ssh, or broad file harvesting found by source search
- No exfiltration endpoint or covert network destination found
- No eval/vm/Function, obfuscated strings, prompt/reviewer manipulation, or AI-agent control-surface writes found
- README describes this as a binary launcher for the Apteva CLI/server/core, matching install.js and cli.js behavior
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
install.jsView on unpkg · L27