registry  /  artefact-design-system  /  0.8.3

artefact-design-system@0.8.3

Артефакт design system — Foundation/Primitives/Components/Sections on top of shadcn/ui + Radix, published as an installable package.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates AI-agent instruction files in the consuming project. It writes an instruction pointer to this package's own AGENTS file without an explicit user command.

Static reason
High-risk behavior combination matched malicious policy.; source fingerprint signature matched known malicious package; routed for review
Trigger
Installing the package as a dependency.
Impact
A package can silently influence future AI-agent behavior across the consumer project.
Mechanism
Postinstall append/create of consumer-root AI-agent instruction files.
Policy narrative
On dependency installation, the postinstall script derives the consumer project root, then appends to an existing `CLAUDE.md` or `AGENTS.md`, or creates `CLAUDE.md` when neither exists. The inserted text tells future agents to read and follow package-controlled instructions from node_modules. This is an unconsented install-time mutation of a foreign AI-agent control surface.
Rationale
The package has a concrete, automatic postinstall control-surface mutation targeting consumer-project agent instructions. Lack of exfiltration does not remove the policy-triggering AI-agent control hijack behavior.
Evidence
package.jsonscripts/postinstall.mjsAGENTS.mdREADME.mddist/index.jsCLAUDE.md

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/postinstall.mjs` automatically on dependency installation.
  • `scripts/postinstall.mjs` selects the consumer-root `CLAUDE.md` or `AGENTS.md` and creates or appends it.
  • The injected block directs an AI agent to follow package-controlled `node_modules/artefact-design-system/AGENTS.md`.
  • The mutation is automatic, targets a foreign project control surface, and is suppressed only by broad error handling.
Evidence against
  • `scripts/postinstall.mjs` contains no network, subprocess, eval, or credential-harvesting behavior.
  • `dist/index.js` imports UI/runtime dependencies and shows no Node filesystem or shell access.
  • Bundled `.woff2` files identify as normal WOFF2 fonts.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 180 KB of source, external domains: www.npmjs.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
3Install-time AI-agent control hijack evidence: L3: * Runs when this package is installed as a DEPENDENCY in someone else's L4: * project — points their agent at our AGENTS.md so they don't have to L5: * remember to do it by hand (see context/AGENTS.md's "Правило: код меняется L6: * → документы меняются" — same instinct, one level up: don't rely on ... L11: */ L12: import { existsSync, appendFileSync, writeFileSync, readFileSync } from "node:fs" L13: import { dirname, resolve, sep } from "node:path" ... L39: `Проект использует [artefact-design-system](https://www.npmjs.com/package/artefact-design-system). ` + L40: `Перед любой задачей на UI — прочитай \`node_modules/artefact-design-system/AGENTS.md\` и следуй ему ` + L41: `(там объяснено, когда смотреть в \`DESIGN.md\`, когда в \`COMPONENTS.md\`).\n` + ... L43: L44: const candidates = [resolve(projectRoot, "CLAUDE.md"), resolve(projectRoot, "AGENTS.md")] Payload evidence from AGENTS.md: L26: L27: Стили — уже скомпилированный CSS (Tailwind собран при публикации пакета), настраивать Tailwind у себя не нужно. `react`/`react-dom` — peer-зависимости, должны уже быть в проекте (с... L28:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L3
25Manifest entrypoint (scripts.postinstall) carries capability families absent from dist/build output: environment+network L25: L26: const projectRoot = process.env.INIT_CWD || process.cwd() L27: ... L29: // rather than guessing further and writing to the wrong place. L30: if (!existsSync(resolve(projectRoot, "package.json"))) { L31: process.exit(0) ... L38: `## Дизайн-система\n\n` + L39: `Проект использует [artefact-design-system](https://www.npmjs.com/package/artefact-design-system). ` + L40: `Перед любой задачей на UI — прочитай \`node_modules/artefact-design-system/AGENTS.md\` и следуй ему ` +
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

scripts/postinstall.mjsView on unpkg · L25
matchType = malicious_source_fingerprint_signature signature = 1a683e63457e6c80 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = artefact-design-system@0.8.2 matchedPath = scripts/postinstall.mjs matchedIdentity = npm:YXJ0ZWZhY3QtZGVzaWduLXN5c3RlbQ:0.8.2 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/postinstall.mjsView on unpkg
dist/fonts/Struve-Medium.woff2View file
path = dist/fonts/Struve-Medium.woff2 kind = high_entropy_blob sizeBytes = 53436 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/fonts/Struve-Medium.woff2View on unpkg

Findings

1 Critical4 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/postinstall.mjs
HighShips High Entropy Blobdist/fonts/Struve-Medium.woff2
HighKnown Malware Source Fingerprint Signaturescripts/postinstall.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings