registry  /  cxpher  /  2.2.5

cxpher@2.2.5

Agentics Package Manager — Encrypted native binary compiler + package manager for JavaScript

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The remaining surface is an opaque, stripped native CLI binary with package-aligned compiler/runtime behavior. The npm postinstall path only installs the package's own platform binary into its own bin path, so no confirmed attack behavior is established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; user invocation runs cxpher/cXpher/cx/cX
Impact
No confirmed malicious impact from inspected source; binary opacity and anti-debug strings increase review risk but align with the advertised source-protection tool.
Mechanism
platform binary placement and user-invoked native CLI execution
Rationale
Static inspection found a lifecycle script and opaque native executable, but the install script only places the package-owned platform binary and there is no observed exfiltration, foreign control-surface mutation, destructive action, or remote payload fetch. The risky primitives are consistent with a native compiler/source-protection CLI described by the package documentation.
Evidence
package.jsoninstall.cjscli-wrapper.cjsbin/cXpher.jsREADME.mdCHANGELOG.md

Decision evidence

public snapshot
AI called this Clean at 72.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.cjs
  • bin/cXpher.js is a stripped Linux ELF executable exposed as main/bin
  • binary strings show anti-debug/runtime wrapper terms such as TracerPid, /proc/self/status, mkdtemp, execvp
Evidence against
  • install.cjs only resolves optional cxpher-* platform package, hardlinks/copies its binary to bin/cXpher.js, and chmods it
  • cli-wrapper.cjs only resolves and execs platform binary when invoked by the user
  • no install-time network fetch or credential/env harvesting found in install.cjs or cli-wrapper.cjs
  • network URLs in package.json/README are project docs/registry examples, not exfil endpoints
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 378 KB of source, external domains: agentics.co.za, gitlab.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node install.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cXpher.jsView file
874contains invisible/control Unicode U+034F (combining grapheme joiner) VwM;�S'Ɨn0N��8�j��=.%v]�<���'p�?�������:��M��ƨ���v�,�m �� �T�,�<U+034F>�KՀ�D�oW��*�R_1�rȅi���}��6�Q��'�EC<��?��9�ԓ���%� ��^���×�T��3v��B�z�3:��� ��T:���|��b�����k���5v OAIaU\vi��1�I���{�f��Mn�� Ȫ�H=n ��ē(�_|"��`�M�'�$
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bin/cXpher.jsView on unpkg · L874
Trigger-reachable chain: manifest.main -> bin/cXpher.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/cXpher.jsView on unpkg
path = bin/cXpher.js kind = native_binary sizeBytes = 379400 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/cXpher.jsView on unpkg

Findings

2 Critical1 High4 Medium3 Low
CriticalTrojan Source Unicodebin/cXpher.js
CriticalTrigger Reachable Dangerous Capabilitybin/cXpher.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Native Binarybin/cXpher.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings