registry  /  hitmaker  /  2.1.2

hitmaker@2.1.2

Synthetic traffic generator for testing analytics, redirect, and click-tracking systems. Ships a prebuilt native binary with a Bubble Tea TUI and a headless CLI.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established in the inspected package source. The only executable behavior is a user-invoked CLI shim that starts a matching platform binary from a pinned optional dependency.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the `hitmaker` command.
Impact
Executes the separately packaged native CLI; the inspected JavaScript performs no install-time mutation, exfiltration, or networking.
Mechanism
Platform-binary resolution and argument-forwarding via `spawnSync`.
Rationale
The scanner findings reflect a normal native-CLI launcher, not runtime package installation or a concrete malicious chain. Direct inspection found no lifecycle execution, payload retrieval, credential access, persistence, or destructive behavior.
Evidence
package.jsonbin/hitmaker.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `bin/hitmaker.js` launches a platform-specific optional-dependency binary when the user runs `hitmaker`.
Evidence against
  • `package.json` defines no preinstall, install, postinstall, prepare, or other lifecycle scripts.
  • `bin/hitmaker.js` only resolves a pinned `@zeb-link/hitmaker-*` package and forwards user arguments with inherited stdio.
  • No source reads credentials, environment secrets, or user files.
  • No runtime network client, shell command, eval, dynamic payload retrieval, persistence, or AI-agent configuration mutation is present.
  • The package contains only `package.json`, `README.md`, `LICENSE`, and the launcher shim.
Behavioral surface
Source
ChildProcess
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.97 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
bin/hitmaker.jsView file
8L9: const { spawnSync } = require("node:child_process"); L10:
High
Child Process

Package source references child process execution.

bin/hitmaker.jsView on unpkg · L8
46`If you installed with --no-optional or --omit=optional, reinstall without it:\n` + L47: ` npm i -g hitmaker` L48: ); ... L51: L52: const result = spawnSync(resolveBinary(), process.argv.slice(2), { L53: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/hitmaker.jsView on unpkg · L46

Findings

2 High1 Low
HighChild Processbin/hitmaker.js
HighRuntime Package Installbin/hitmaker.js
LowUrl Strings