AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious code exists in the inspected package source. Installing it resolves an uninspected remote tarball dependency.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install of home-sections-web-ui@99.9.9
Impact
Uninspected dependency code could execute through its own lifecycle or runtime behavior.
Mechanism
remote tarball dependency resolution
Rationale
Source inspection found no concrete malicious behavior in this package, but the remote tarball dependency creates an unresolved supply-chain execution risk on installation. Warn rather than block because the inspected source does not establish malicious intent or payload behavior.
Evidence
package.jsonindex.js
Network endpoints1
storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz
OSV Corroboration
OpenSSF/OSVAdvisory
MAL-2026-10443
Source
OpenSSF Malicious Packages via OSV
Summary
Source inspection found no concrete malicious behavior in this package, but the remote tarball dependency creates an unresolved supply-chain execution risk on installation. Warn rather than block because the inspected source does not establish malicious intent or payload behavior.
References
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` declares `ltidisafe` from a remote Google Cloud Storage tarball.
- The remote dependency is fetched during npm dependency installation and its source is not present for inspection.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- `index.js` only logs a fixed greeting.
- Package contains only `package.json` and `index.js`; no file, credential, shell, or network logic was found.
Behavioral surface
Trivial
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Remote tarball dependency specs: ltidisafe@https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz
Medium
Remote Tarball Dependency
Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkgFindings
1 Medium2 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowNo License