AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The only active behavior is an npm postinstall shim that installs the same-version Python djlint package via pip, matching the README's documented npm distribution path.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install djlint@1.39.7
Impact
Installs djlint==1.39.7 from Python packaging infrastructure when npm lifecycle scripts are enabled
Mechanism
package-aligned pip install shim
Rationale
Static source inspection found a lifecycle script, but it is a transparent npm-to-PyPI installer for the same package/version and is documented in README.md. With no additional payload or suspicious data access, the scanner's lifecycle finding is noisy rather than proof of malicious intent.
Evidence
package.jsonREADME.mdLICENSE
Network endpoints1
pypi.org/project/djlint/
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines postinstall: python3 -m pip install --upgrade djlint==1.39.7
- Install runs pip during npm install, causing package-aligned network/package-manager activity
Evidence against
- Only package files are package.json, README.md, and LICENSE; no JS payload, bin, main, or hidden files present
- README.md explicitly documents npm install as experimental and requiring python/pip
- Postinstall pins the same djlint version and targets the known PyPI project name
- No credential/env harvesting, shell obfuscation, destructive commands, persistence, or exfiltration code found
- No AI-agent control-surface writes or reviewer prompt manipulation found
Behavioral surface
CopyleftLicense
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = python3 -m pip install --upgrade djlint==1.39.7
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = python3 -m pip install --upgrade djlint==1.39.7
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•name = djlint; similarTo = eslint
Medium
Typosquat Name
Package name is suspiciously similar to a popular package name.
package.jsonView on unpkgFindings
1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumTyposquat Namepackage.json
LowScripts Present
LowCopyleft License