registry  /  insomnia-plugin-poc-m4gester-run  /  1.0.0

insomnia-plugin-poc-m4gester-run@1.0.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package has an install-time command execution surface via npm postinstall. Runtime plugin code is inert.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle
Impact
Executes calc.exe on Windows during install; demonstrates arbitrary lifecycle command execution without package-aligned purpose.
Mechanism
unconsented install-time external command execution
Attack narrative
Installing the package triggers npm's postinstall lifecycle and executes calc.exe on Windows. The main Insomnia plugin entrypoint does nothing, so the meaningful behavior is the unconsented install-time command rather than runtime plugin functionality.
Rationale
Direct source inspection confirms the only substantive behavior is an automatic postinstall command with no legitimate package purpose. Although there is no exfiltration or persistence, unconsented lifecycle command execution is concrete install-hook abuse.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle script: calc.exe.
  • The lifecycle command runs automatically during npm install on Windows.
  • Package contains no legitimate install/build logic to justify install-time command execution.
Evidence against
  • index.js only exports an empty Insomnia requestHooks array.
  • No network endpoints, credential harvesting, file traversal, AI-agent control-surface writes, or persistence beyond lifecycle execution were found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
Manifest
NoLicense
scanned 1 file(s), 38 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = calc.exe
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = calc.exe
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowNo License