AI Security Review
scanned 2h ago · by lpm-firewall-aiThe remaining surface is an opaque, stripped native CLI binary with package-aligned compiler/runtime behavior. The npm postinstall path only installs the package's own platform binary into its own bin path, so no confirmed attack behavior is established.
Decision evidence
public snapshot- package.json defines postinstall: node install.cjs
- bin/cXpher.js is a stripped Linux ELF executable exposed as main/bin
- binary strings show anti-debug/runtime wrapper terms such as TracerPid, /proc/self/status, mkdtemp, execvp
- install.cjs only resolves optional cxpher-* platform package, hardlinks/copies its binary to bin/cXpher.js, and chmods it
- cli-wrapper.cjs only resolves and execs platform binary when invoked by the user
- no install-time network fetch or credential/env harvesting found in install.cjs or cli-wrapper.cjs
- network URLs in package.json/README are project docs/registry examples, not exfil endpoints
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
bin/cXpher.jsView on unpkg · L874A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/cXpher.jsView on unpkg