AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package has an install-time command execution surface via npm postinstall. Runtime plugin code is inert.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle
Impact
Executes calc.exe on Windows during install; demonstrates arbitrary lifecycle command execution without package-aligned purpose.
Mechanism
unconsented install-time external command execution
Attack narrative
Installing the package triggers npm's postinstall lifecycle and executes calc.exe on Windows. The main Insomnia plugin entrypoint does nothing, so the meaningful behavior is the unconsented install-time command rather than runtime plugin functionality.
Rationale
Direct source inspection confirms the only substantive behavior is an automatic postinstall command with no legitimate package purpose. Although there is no exfiltration or persistence, unconsented lifecycle command execution is concrete install-hook abuse.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json defines postinstall lifecycle script: calc.exe.
- The lifecycle command runs automatically during npm install on Windows.
- Package contains no legitimate install/build logic to justify install-time command execution.
Evidence against
- index.js only exports an empty Insomnia requestHooks array.
- No network endpoints, credential harvesting, file traversal, AI-agent control-surface writes, or persistence beyond lifecycle execution were found.
Behavioral surface
Trivial
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = calc.exe
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = calc.exe
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowNo License