AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The only active behavior is a package-aligned npm postinstall wrapper that installs the matching PyPI djlint version.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install djlint
Impact
Installs djlint Python package into the user's pip environment; no source evidence of malicious payload in this npm package.
Mechanism
postinstall pip install of matching Python package
Rationale
Static inspection confirms an install-time pip invocation, but it is documented in README.md and targets the same package/version rather than a suspicious endpoint or payload. No concrete malicious behavior, exfiltration, persistence, or hidden code is present in the npm package.
Evidence
package.jsonREADME.md
Network endpoints1
pypi.org/project/djlint/
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines postinstall: python3 -m pip install --upgrade djlint==1.40.0
- Install hook invokes pip and may fetch/install Python package code during npm install
Evidence against
- Package contains only package.json, README.md, and LICENSE; no hidden JS payload or binaries found
- README.md documents npm install as experimental and says it requires python and pip
- The pip target is the same package name and exact version: djlint==1.40.0
- No credential harvesting, destructive commands, persistence, or exfiltration code found in package files
- No obfuscated strings, eval, child_process JS, dynamic require/import, or native loading found
Behavioral surface
CopyleftLicense
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = python3 -m pip install --upgrade djlint==1.40.0
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = python3 -m pip install --upgrade djlint==1.40.0
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•name = djlint; similarTo = eslint
Medium
Typosquat Name
Package name is suspiciously similar to a popular package name.
package.jsonView on unpkgFindings
1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumTyposquat Namepackage.json
LowScripts Present
LowCopyleft License