registry  /  aurix-ai  /  3.0.0

aurix-ai@3.0.0

Open-source terminal AI agent for coding, deep research, automation, and multi-platform task execution.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package has an install-time remote execution surface via postinstall, plus broad user-invoked AI agent capabilities at runtime. No confirmed malicious exfiltration, persistence outside package-owned paths, or unconsented foreign AI-agent control-surface mutation was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install for postinstall; running `aurix` for agent runtime tools
Impact
Can execute remote installer code and modify dependencies during install; runtime agent can execute shell/code and configure external MCP servers when used.
Mechanism
install-time remote Bun installer and package-owned AI agent tool/MCP framework
Attack narrative
On installation, the postinstall hook may fetch and execute Bun's installer with curl piped to bash and patch an installed dependency. At runtime, the CLI exposes an autonomous agent with shell/code execution, file editing, browser, MCP, and integration tools, with MCP configuration stored under ~/.aurix. These are high-risk capabilities but appear package-aligned and user-facing rather than hidden malware.
Rationale
Static inspection confirms risky install-time remote execution and broad agent capabilities, but not malicious credential theft, data exfiltration, destructive behavior, or foreign AI-agent control hijacking. The appropriate firewall action is warn rather than block.
Evidence
package.jsonscripts/postinstall.mjsbin/aurix.jsdist/index.jsdist/tools/Terminal.jsdist/tools/CodeExec.jsdist/mcp/McpRegistry.jsdist/agent/Config.jsdist/utils/UpdateCheck.jsnode_modules/@opentui/react/chunk-fm0c65gm.js~/.aurix/config.yaml~/.aurix/mcp/servers.json~/.aurix/.update-check.json
Network endpoints5
bun.sh/installregistry.npmjs.org/aurix-ai/latestraw.githubusercontent.com/modelcontextprotocol/servers/main/README.mdapi.openai.com/v1/chat/completionsapi.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall and prepare lifecycle scripts.
  • scripts/postinstall.mjs runs `curl -fsSL https://bun.sh/install | bash` on non-Windows during install.
  • scripts/postinstall.mjs can run `npm install --no-save` for @opentui Windows optional native package.
  • scripts/postinstall.mjs rewrites node_modules/@opentui/react/chunk-fm0c65gm.js.
  • dist/index.js registers terminal, code_exec, file write/edit, MCP, browser, OSINT and other broad agent tools by default.
  • dist/mcp/McpRegistry.js persists enabled MCP servers under ~/.aurix/mcp/servers.json and can launch npx -y MCP presets.
Evidence against
  • No lifecycle write to foreign AI-agent surfaces such as CLAUDE.md, .mcp.json, Cursor/Codex settings, or ~/.claude paths found.
  • MCP configuration is under the package-owned ~/.aurix namespace and presets are user-invoked, not auto-enabled on install.
  • No credential harvesting or exfiltration path was confirmed in inspected lifecycle, launcher, config, update, or MCP setup files.
  • bin/aurix.js only launches dist/index.js with Bun/Node and passes existing environment to the child.
  • Network endpoints observed are package-aligned update/provider/tool APIs rather than a hidden collection server.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 135 file(s), 1.34 MB of source, external domains: 169.254.169.254, aka.ms, api.anthropic.com, api.duckduckgo.com, api.example.com, api.github.com, api.groq.com, api.mail.tm, api.mainnet-beta.solana.com, api.openai.com, api.tavily.com, api.telegram.org, apilayer.net, arb1.arbitrum.io, bsc-dataseed.binance.org, bun.sh, calculator.aws, client-api.arkoselabs.com, cloud.google.com, console.anthropic.com, console.groq.com, demo.arkoselabs.com, en.wikipedia.org, eth.llamarpc.com, export.arxiv.org, facebook.com, github.com, hn.algolia.com, html.duckduckgo.com, instagram.com, ip-api.com, mainnet.base.org, news.ycombinator.com, nominatim.openstreetmap.org, ocr.captchaai.com, phonevalidation.abstractapi.com, pinterest.com, platform.openai.com, polygon-rpc.com, raw.githubusercontent.com, reddit.com, registry.npmjs.org, search.sapti.me, searx.be, searxng.site, steamcommunity.com, tenor.googleapis.com, tiktok.com, twitch.tv, www.reddit.com

Source & flagged code

13 flagged · loading source
package.jsonView file
dependencies registry_only=@whiskeysockets/baileys,pino
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/tools/tempmail/TempMail.jsView file
5patternName = generic_password severity = medium line = 5 matchedText = password...23';
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/tools/tempmail/TempMail.jsView on unpkg · L5
bin/aurix.jsView file
4import { fileURLToPath } from 'url'; L5: import { spawn, execSync } from 'child_process'; L6:
High
Child Process

Package source references child process execution.

bin/aurix.jsView on unpkg · L4
21L22: // Use shell: false with an absolute path to the Node binary. shell: true L23: // triggers DEP0190 (args concatenated without escaping). process.execPath
High
Shell

Package source references shell execution.

bin/aurix.jsView on unpkg · L21
38if (runtime === 'node' && !process.env.AURIX_RELAUNCHED) { L39: // OpenTUI's backend does `require("node:ffi")` which is experimental in L40: // Node 22.5+. Probe whether it already works without a flag, and only
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/aurix.jsView on unpkg · L38
dist/tools/captcha/FuncaptchaSolver.jsView file
14*/ L15: import { createHash, createCipheriv, createDecipheriv, randomBytes } from 'crypto'; L16: import { writeFileSync, unlinkSync, readFileSync } from 'fs'; ... L19: import { loadConfig } from '../../agent/Config.js'; L20: import { request as undiciRequest, ProxyAgent } from 'undici'; L21: // ─── MurmurHash3 x64-128 ─────────────────────────────────────────────────── ... L292: PK: p.ua.includes('Mac OS') ? 'MacIntel' : 'Win32', L293: CFP: 'canvas winding:yes~canvas fp:data:image/png;base64,' + randomBytes(128).toString('base64'), L294: FR: false, ... L677: catch { } L678: const imgPath = join(homedir(), `.aurix-funcaptcha-wave-${wave}.png`); L679: writeFileSync(imgPath, imgBuffer);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/tools/captcha/FuncaptchaSolver.jsView on unpkg · L14
dist/tools/Osint.jsView file
316try { L317: const { execSync } = await import('child_process'); L318: const numverifyResult = execSync(`curl -s "http://apilayer.net/api/validate?access_key=free&number=${parsed.international}" 2>/dev/null`, { encoding: 'utf8', timeout: 8000 }); L319: try { L320: const nv = JSON.parse(numverifyResult); L321: if (nv.valid) { ... L444: try { L445: const res = await fetch(`http://ip-api.com/json/${target}?fields=status,message,country,countryCode,region,regionName,city,zip,lat,lon,timezone,isp,org,as,query`); L446: const data = await res.json();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tools/Osint.jsView on unpkg · L316
scripts/test-bug-bounty.mjsView file
52name: 'Internal URL Testing', L53: message: 'Write a Python script that tests if api.example.com endpoints accept internal URLs like http://localhost:8080 or http://169.254.169.254 as parameters.', L54: },
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

scripts/test-bug-bounty.mjsView on unpkg · L52
dist/tools/Pdf.jsView file
68return new Promise((resolve) => { L69: const cmd = `which wkhtmltopdf 2>/dev/null && wkhtmltopdf --quiet "${tmpHtml}" "${output}" 2>&1 || npx --yes puppeteer-html-pdf --input "${tmpHtml}" --output "${output}" 2>&1`; L70: exec(cmd, { timeout: 60000, maxBuffer: 5 * 1024 * 1024 }, (err, stdout, stderr) => { L71: try {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/tools/Pdf.jsView on unpkg · L68
dist/token-counter.linux-x64-gnu.nodeView file
path = dist/token-counter.linux-x64-gnu.node kind = native_binary sizeBytes = 7518488 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/token-counter.linux-x64-gnu.nodeView on unpkg
bin/aurix.cmdView file
path = bin/aurix.cmd kind = build_helper sizeBytes = 1608 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/aurix.cmdView on unpkg

Findings

1 Critical6 High8 Medium6 Low
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/aurix.js
HighShellbin/aurix.js
HighSandbox Evasion Gated Capabilitydist/tools/Osint.js
HighCloud Metadata Accessscripts/test-bug-bounty.mjs
HighRuntime Package Installdist/tools/Pdf.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterndist/tools/tempmail/TempMail.js
MediumDynamic Requirebin/aurix.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarydist/token-counter.linux-x64-gnu.node
MediumShips Build Helperbin/aurix.cmd
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/tools/captcha/FuncaptchaSolver.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings