registry  /  my-postinstall-pkg  /  1.0.16

my-postinstall-pkg@1.0.16

A package that runs a postinstall script

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Install-time hook reads a user shell configuration file without consent. It writes that content into the installing project's root, exposing potentially sensitive configuration to the project and its tooling.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation runs the `postinstall` lifecycle hook.
Impact
Unauthorized local disclosure of user shell configuration; `.bashrc` may contain tokens, aliases, paths, and private setup.
Mechanism
postinstall harvests `.bashrc` and drops it into the consumer project
Attack narrative
On installation, `scripts/postinstall.sh` creates a notice in the consuming project's root and appends the installer user's `.bashrc` contents. This is an unconsented install-time collection and disclosure of user configuration into a foreign project directory. The bundled notice file confirms the behavior executed in the inspected package environment.
Rationale
The lifecycle hook performs concrete, unconsented harvesting of a user-owned shell configuration file and writes it outside the package. Absence of network exfiltration does not make the install-time local disclosure benign.
Evidence
package.jsonscripts/postinstall.shpostinstall-notice.txtpostinstall-log.txt$HOME/.bashrc$INIT_CWD/postinstall-notice.txt

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` runs `scripts/postinstall.sh` during install.
  • `scripts/postinstall.sh` reads `$HOME/.bashrc` (with a fixed-home fallback).
  • The hook writes the copied shell configuration into `$INIT_CWD/postinstall-notice.txt`.
  • Bundled `postinstall-notice.txt` demonstrates captured `.bashrc` content.
Evidence against
  • No network command or external endpoint appears in the inspected package files.
  • No remote payload loading, shell-profile modification, or destructive command was found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = ./scripts/postinstall.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = ./scripts/postinstall.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.shView file
path = scripts/postinstall.sh kind = build_helper sizeBytes = 1220 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/postinstall.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperscripts/postinstall.sh
LowScripts Present