AI Security Review
scanned 2h ago · by lpm-firewall-ainpm postinstall downloads a platform-specific native archive, extracts it under the package, and the CLI executes that downloaded binary. The JavaScript wrapper does not verify artifact integrity.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation runs postinstall; invoking bitrouter runs the extracted binary.
Impact
A compromised or substituted release artifact can execute with the installing user's privileges.
Mechanism
remote native-binary download, extraction, and execution
Rationale
Source inspection confirms an install-time remote executable payload flow without artifact verification. It is package-aligned rather than a demonstrated malicious chain, so warn rather than block.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-bitrouter.jsnode_modules/.bin_real
Network endpoints1
github.com/bitrouter/bitrouter/releases/download/v1.0.0-alpha.24
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- package.json defines postinstall: node ./install.js.
- install.js immediately invokes the installer during npm install.
- binary.js constructs release downloads from the GitHub URL in package.json.
- binary-install.js streams, extracts, and later executes the downloaded platform binary.
- No checksum, signature, or pinned artifact integrity validation is present.
Evidence against
- The only source-defined endpoint is the package-aligned bitrouter GitHub releases URL.
- No source reads credentials, environment variables, home directories, or agent configuration.
- No eval, dynamic code loading, shell interpolation, or broad persistence behavior was found.
- Extraction commands use fixed executable names and structured argument arrays.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings