AI Security Review
scanned 1d ago · by lpm-firewall-aiThe npm package is mostly a launcher/downloader for a platform-specific executable. No confirmed malicious source behavior was found, but the install path retrieves and later executes an opaque remote binary for an agentic coding CLI.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or first justcode CLI run
Impact
Uninspectable release binary gains the runtime capabilities of a coding assistant when invoked; install-time network executable delivery remains unresolved risk.
Mechanism
download, chmod, and spawn package release binary
Attack narrative
On install, postinstall calls ensureBinary, which derives a GitHub Releases URL from package.json and downloads a platform executable into dist-bin, marks it executable, and renames it into place. The bin entry repeats this on first run if needed, then spawns the binary with user arguments. The shipped JS does not plant agent instructions or harvest data, but the core agent code is outside the npm tarball.
Rationale
Source inspection supports a warn-level verdict for install-time delivery and execution of an opaque package-aligned AI coding assistant binary, not a publish block. There is no evidence of unconsented foreign agent control-surface mutation, persistence outside the package directory, or credential exfiltration in the shipped source.
Evidence
package.jsonscripts/postinstall.mjsscripts/lib/download-binary.mjsscripts/lib/platform.mjsbin/justcode.mjsREADME.mddist-bin/justcode-<os>-<arch>dist-bin/justcode-<os>-<arch>.download
Network endpoints1
github.com/kingeke/justcode/releases/download/${tag}/${assetName()}
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node scripts/postinstall.mjs
- scripts/postinstall.mjs downloads a platform binary during install unless JUSTCODE_SKIP_DOWNLOAD is set
- scripts/lib/download-binary.mjs fetches GitHub Releases asset, chmods it executable, and writes dist-bin/<asset>
- bin/justcode.mjs lazily downloads the same binary and spawns it with inherited stdio
- README describes an AI coding assistant with file, shell, web, MCP, and provider-key workflows
Evidence against
- No code writes Claude/Codex/Cursor/MCP control surfaces during install
- No credential harvesting or exfiltration logic found in shipped JS wrapper files
- Network endpoint is package-aligned GitHub Releases URL derived from package repository/version
- Downloaded executable is stored under the package directory, not persistence locations
- No eval/vm/Function or obfuscated JavaScript found
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings