registry  /  bmdl-sdk  /  1.4.0

bmdl-sdk@1.4.0

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a React/Vite scaffolding CLI with explicit user-invoked init/dev commands; the risky primitives are aligned with that purpose.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `bmdl-sdk init` or `bmdl-sdk dev`
Impact
Creates expected project template files and package scripts, or starts a local dev server; no exfiltration or persistence found.
Mechanism
local project scaffolding and local Vite server launch
Rationale
Static source inspection shows explicit CLI scaffolding and dev-server functionality, with no install-time execution, credential harvesting, remote network endpoints, destructive behavior, persistence, or agent control-surface mutation. The nested archives and child_process use are package-aligned and not evidence of malicious behavior.
Evidence
package.jsonbin/cli.jsbin/init.jsbin/dev.jsvite.config.tstemplates/App.tsxtemplates/config.tstemplates/dataOptions.tstemplates/viewOptions.tsbmdl-sdk-1.3.12.tgzbmdl-sdk-1.4.0.tgzsrc/App/App.tsxsrc/config.tssrc/dataOptions.tssrc/viewOptions.tspublic/icon.svgtsconfig.json
Network endpoints1
localhost:3000

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/dev.js spawns vite with shell:true on explicit `bmdl-sdk dev` command
  • bin/init.js writes template files and replaces package scripts on explicit `bmdl-sdk init` command
  • Package ships nested prior-version archives bmdl-sdk-1.3.12.tgz and bmdl-sdk-1.4.0.tgz
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • bin/cli.js only dispatches explicit init/dev/build subcommands
  • bin/init.js scaffolds src/public/tsconfig files from local templates; no credential reads or exfiltration
  • bin/dev.js only starts local Vite dev server on port 3000
  • rg found no fetch/http exfiltration, eval/vm, env harvesting, shell download, persistence, or AI-agent control writes
  • Nested bmdl-sdk-1.3.12.tgz contents match prior package scaffolding behavior with no lifecycle scripts
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 5.21 KB of source

Source & flagged code

4 flagged · loading source
bmdl-sdk-1.3.12.tgzView file
path = bmdl-sdk-1.3.12.tgz kind = high_entropy_blob sizeBytes = 244020 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

bmdl-sdk-1.3.12.tgzView on unpkg
path = bmdl-sdk-1.3.12.tgz kind = compressed_blob sizeBytes = 244020 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

bmdl-sdk-1.3.12.tgzView on unpkg
path = bmdl-sdk-1.3.12.tgz kind = nested_archive_needs_inspection sizeBytes = 244020 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

bmdl-sdk-1.3.12.tgzView on unpkg
bin/dev.jsView file
matchType = previous_version_dangerous_delta matchedPackage = bmdl-sdk@1.3.2 matchedIdentity = npm:Ym1kbC1zZGs:1.3.2 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/dev.jsView on unpkg

Findings

2 High2 Medium3 Low
HighShips High Entropy Blobbmdl-sdk-1.3.12.tgz
HighPrevious Version Dangerous Deltabin/dev.js
MediumShips Compressed Blobbmdl-sdk-1.3.12.tgz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowNested Archive Needs Inspectionbmdl-sdk-1.3.12.tgz