registry  /  gn-provider  /  1.3.14

gn-provider@1.3.14

This is a BSV blockchain provider for sCrpyt using Whatsonchain API

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package has an install-time mutation risk: postinstall copies its provider files into the installed scrypt-ts providers directory. Runtime network calls are aligned with a BSV blockchain provider and are invoked by provider methods.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package postinstall; runtime use occurs when GNProvider is constructed or methods are called
Impact
Can modify scrypt-ts files in the consumer install; no confirmed malicious payload or exfiltration observed
Mechanism
postinstall dependency-tree file copy plus runtime blockchain API client
Rationale
Source inspection does not show concrete malicious behavior, but the postinstall hook mutates another package during installation, which is a real lifecycle risk worth warning on. Runtime network calls and API keys are consistent with the stated blockchain provider purpose.
Evidence
package.jsonscripts/install.jsdist/gn-provider.jsREADME.mdscrypt-ts providers/gn-provider.jsscrypt-ts providers/gn-provider.d.ts
Network endpoints3
api.whatsonchain.com/v1/bsv/{main|test}mapi.gorillapool.io/mapi/testnet-mapi.gorillapool.io/mapi/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/install.js
  • scripts/install.js resolves scrypt-ts and copies dist files into its providers directory during install
  • Install hook mutates another dependency's package tree without an explicit user command
Evidence against
  • No child_process, eval, dynamic code loading, credential harvesting, or broad filesystem traversal found
  • dist/gn-provider.js network use is runtime provider functionality for BSV APIs
  • README.md documents automatic sCrypt provider installation and Whatsonchain API usage
  • No evidence of exfiltration, persistence, destructive behavior, or AI-agent control-surface writes
Behavioral surface
Source
FilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 22.5 KB of source, external domains: api.whatsonchain.com, mapi.gorillapool.io, testnet-mapi.gorillapool.io

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings