registry  /  bmdl-sdk  /  1.5.0

bmdl-sdk@1.5.0

This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Risky primitives are limited to explicit developer commands for scaffolding and starting Vite.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs bmdl-sdk init or bmdl-sdk dev.
Impact
Creates template files and modifies package.json scripts, or starts local Vite server.
Mechanism
project scaffolding and Vite dev-server launch
Rationale
Static inspection shows an SDK scaffold/dev tool with explicit user-invoked file writes and local dev-server execution, not install-time mutation, exfiltration, or remote payload execution. The nested old tarballs are packaging noise/inert artifacts because no package code references or executes them.
Evidence
package.jsonbin/cli.jsbin/init.jsbin/dev.jsvite.config.tssrc/App.tsxbmdl-sdk-1.5.0.tgzsrc/app/App.tsxsrc/config.tssrc/dataOptions.tssrc/viewOptions.tspublic/icon.svgtsconfig.json
Network endpoints1
localhost:3000

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bmdl-sdk-1.5.0.tgz contains nested prior-version archives bmdl-sdk-1.3.12.tgz and bmdl-sdk-1.4.0.tgz.
  • bin/dev.js uses child_process.spawn with shell:true to run npx vite, but only on explicit bmdl-sdk dev.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/cli.js only dispatches explicit init/dev/build commands.
  • bin/init.js writes template project files and package scripts only after explicit bmdl-sdk init.
  • No credential harvesting, destructive file operations, or exfiltration endpoints found by source search.
  • Network references are localhost dev server/SVG namespace only.
  • Nested archives list package source contents and are not loaded or executed by entrypoints.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 11.2 KB of source

Source & flagged code

7 flagged · loading source
bin/dev.jsView file
matchType = previous_version_dangerous_delta matchedPackage = bmdl-sdk@1.4.0 matchedIdentity = npm:Ym1kbC1zZGs:1.4.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/dev.jsView on unpkg
2L3: import { spawn } from 'child_process' L4: import { resolve } from 'path'
High
Child Process

Package source references child process execution.

bin/dev.jsView on unpkg · L2
47stdio: 'inherit', L48: shell: true, L49: cwd: sdkRoot,
High
Shell

Package source references shell execution.

bin/dev.jsView on unpkg · L47
45// Запускаем Vite с передачей корня проекта как переменной окружения L46: const vite = spawn('npx', ['vite', '--port', '3000', '--config', viteConfig], { L47: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/dev.jsView on unpkg · L45
bmdl-sdk-1.5.0.tgzView file
path = bmdl-sdk-1.5.0.tgz kind = high_entropy_blob sizeBytes = 507159 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

bmdl-sdk-1.5.0.tgzView on unpkg
path = bmdl-sdk-1.5.0.tgz kind = compressed_blob sizeBytes = 507159 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

bmdl-sdk-1.5.0.tgzView on unpkg
path = bmdl-sdk-1.5.0.tgz kind = nested_archive_needs_inspection sizeBytes = 507159 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

bmdl-sdk-1.5.0.tgzView on unpkg

Findings

1 Critical4 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/dev.js
HighChild Processbin/dev.js
HighShellbin/dev.js
HighRuntime Package Installbin/dev.js
HighShips High Entropy Blobbmdl-sdk-1.5.0.tgz
MediumEnvironment Vars
MediumShips Compressed Blobbmdl-sdk-1.5.0.tgz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowNested Archive Needs Inspectionbmdl-sdk-1.5.0.tgz