AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious runtime or install-time behavior is present in the package source. The only network-related item is a dependency tarball reference, which is not executed by this package source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install resolves the declared dependency
Impact
No concrete package-controlled attack behavior established.
Mechanism
remote tarball dependency reference only
Rationale
The package itself is inert: its sole entrypoint exports an empty object and it has no lifecycle hooks. A remote dependency tarball merits supply-chain scrutiny but, without a concrete malicious chain in the inspected package source, does not justify a warning or block.
Evidence
package.jsonindex.js
Network endpoints1
ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.4.tgz
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` pins dependency `ltidisafe` to a remote tarball URL.
Evidence against
- `package.json` defines no preinstall, install, postinstall, or prepare hook.
- `index.js` only exports an empty object.
- Package contains only `package.json` and `index.js`; no hidden scripts, binaries, or payload files.
- Source scan found no credential harvesting, shell execution, dynamic loading, exfiltration, persistence, or agent-control writes.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Remote tarball dependency specs: ltidisafe@https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.4.tgz
Medium
Remote Tarball Dependency
Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkgFindings
1 Medium1 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present