registry  /  lazycf  /  0.2.0

lazycf@0.2.0

TUI lazy para gestionar la infraestructura de Cloudflare desde la terminal

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Install-time code fetches and installs a native executable that is not present in the npm tarball. The wrapper later executes that downloaded binary when the lazycf command is invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, then user runs lazycf
Impact
Unverified remote release binary gains local execution if installed or invoked, but no malicious source behavior is confirmed in the package JavaScript.
Mechanism
postinstall remote binary downloader and CLI shim
Rationale
lazycf@0.2.0 has a real install-time remote executable download risk, but the behavior is package-aligned, documented, and lacks concrete malicious actions in inspected source. Treat as warn rather than block because no source-grounded attack chain beyond remote binary installation is established.
Evidence
package.jsoninstall.jsbin/lazycfREADME.mdbin/lazycf-binbin/lazycf-bin.exe
Network endpoints1
github.com/PaulPPS632/lazycf/releases/download/v${VERSION}/${assetName}

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node install.js
  • install.js downloads a platform executable from GitHub releases during install
  • install.js writes bin/lazycf-bin or bin/lazycf-bin.exe and chmods it executable
  • bin/lazycf runs the downloaded binary via spawnSync
Evidence against
  • Download URL is package-aligned to PaulPPS632/lazycf release v0.2.0 asset name
  • No credential, env, home-directory, or project-file harvesting found in package source
  • No exfiltration endpoint beyond GitHub release download
  • No eval/vm/Function, shell command string execution, persistence, or AI-agent config mutation found
  • README openly documents native binary download and Cloudflare TUI purpose
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.93 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings