AI Security Review
scanned 2d ago · by lpm-firewall-aiThe package is an npm wrapper that downloads and runs a native binary during postinstall. This creates install-time remote code execution risk, but the observed endpoints and paths are package-aligned and no concrete malicious behavior is present in source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npm install -g mycel-cli
Impact
Installer executes unaudited release binary at install time; source package itself shows no exfiltration or persistence.
Mechanism
postinstall downloads GitHub release binary, writes bin/mycel, chmods it, then runs mycel version
Attack narrative
On installation, npm runs install.mjs. The script detects OS/architecture, queries GitHub for the latest rpuneet/mycel release, downloads a matching tar.gz, extracts the mycel binary into bin/mycel, chmods it executable, and invokes it with the version argument. This is package-aligned but means install runs code not contained in the npm tarball.
Rationale
Source inspection confirms an install-time downloader/executor for a remote native binary, including use of the latest GitHub release rather than strictly the npm package version. Because there is no evidence of malicious payload, exfiltration, persistence, or foreign AI-agent control-surface mutation in the package source, this is a warning-level remote code execution risk rather than a publish block.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints2
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download/v{version}/mycel_{version}_{os}_{arch}.tar.gz
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- package.json defines postinstall: node install.mjs
- install.mjs fetches latest release metadata from api.github.com instead of pinning package version when available
- install.mjs downloads a platform tar.gz from github.com/rpuneet/mycel/releases and writes bin/mycel
- install.mjs executes the downloaded binary with execFileSync(BIN_PATH,["version"]) during install
Evidence against
- Only package files present are package.json, install.mjs, README.md, LICENSE, and bin/mycel placeholder
- README.md documents the postinstall binary download behavior
- Network endpoints are package-aligned with repository rpuneet/mycel
- No source evidence of credential harvesting, persistence, shell startup edits, AI-agent config planting, or destructive actions
- execFileSync uses a fixed local binary path and fixed argument, not shell interpolation
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings