registry  /  lil-swisgom-hlepers  /  49.9.9

lil-swisgom-hlepers@49.9.9

Utility package

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No direct malicious source behavior is present in this package. The main unresolved risk is that installation pulls a package-aligned core dependency from an external tarball URL.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install resolving dependencies; lifecycle hooks run echo commands only
Impact
Potential risk depends on remote dependency contents, not confirmed by this package source
Mechanism
external tarball dependency carrier with inert local wrapper
Attack narrative
The package itself is an inert wrapper: import returns an empty object and lifecycle scripts only print messages. However, package.json directs npm to install lil-swisgom-hlepers-core from an external tarball URL, so the wrapper can stage behavior in a remote dependency not present in the inspected source.
Rationale
Static source inspection does not confirm malware in the package itself, but the external tarball dependency creates unresolved supply-chain risk outside the inspected files. A warn verdict is appropriate rather than publish blocking this wrapper as directly malicious.
Evidence
package.jsonindex.jsREADME.md
Network endpoints1
registry.grivy-packages.com/lil-swisgom-hlepers-core/-/lil-swisgom-hlepers-core-49.9.9.tgz

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json pins dependency to external tarball URL on registry.grivy-packages.com
  • Package has install lifecycle hooks, but they are simple echo commands
Evidence against
  • index.js only exports an empty object
  • No child_process, eval, dynamic require, env access, file writes, or credential harvesting found
  • No AI-agent control-surface writes or persistence found
  • README.md is minimal and contains no operational instructions
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 36 B of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.preinstall = echo lil-swisgom-hlepers: checking package metadata...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = echo lil-swisgom-hlepers: checking package metadata...
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.install = echo lil-swisgom-hlepers: installing package...
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = echo lil-swisgom-hlepers: setup complete
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
Remote tarball dependency specs: lil-swisgom-hlepers-core@https://registry.grivy-packages.com/lil-swisgom-hlepers-core/-/lil-swisgom-hlepers-core-49.9.9.tgz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg

Findings

1 High4 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumRemote Tarball Dependencypackage.json
LowNon Install Lifecycle Scripts
LowScripts Present