registry  /  netpack  /  0.2.1

netpack@0.2.1

The blazing fast bundler and optimizer that just works for most web projects.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Postinstall provisions a platform-specific netpack binary when its optional dependency is missing. The lifecycle script only targets package-local CLI/binary paths and the npm registry; no confirmed malicious attack surface is established.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
`npm install` when the matching optional binary dependency is unavailable; explicit `netpack` CLI/API invocation at runtime.
Impact
Installs and validates the package-aligned native binary; no source-confirmed data theft, persistence, or foreign control-surface mutation.
Mechanism
package-local platform binary recovery and execution
Rationale
The install hook is a package-aligned fallback for fixed, scoped platform binaries and performs no foreign-file or AI-agent mutation. Static signals arise from normal native-binary provisioning and explicit CLI process spawning, not a concrete malicious chain.
Evidence
package.jsondist/install.jsdist/main.jscli/netpack.jscli/netpack
Network endpoints1
registry.npmjs.org

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `package.json` runs `dist/install.js` on postinstall.
  • `dist/install.js` falls back to scoped `@netpack/*` binary packages when optional dependencies are absent.
  • Fallback downloads only from `https://registry.npmjs.org` and writes the selected platform binary inside this package.
Evidence against
  • No credential, environment, or project-file harvesting is present.
  • No exfiltration endpoint exists beyond the npm registry binary fallback.
  • No eval, VM, remote script execution, persistence, destructive action, or AI-agent configuration mutation is present.
  • `dist/main.js` only resolves a platform binary and spawns it for explicit API/CLI use.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 20.1 KB of source, external domains: nodejs.org, registry.npmjs.org, yarnpkg.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
name = netpack; similarTo = webpack
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg
dist/main.jsView file
matchType = previous_version_dangerous_delta matchedPackage = netpack@0.2.0 matchedIdentity = npm:bmV0cGFjaw:0.2.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/main.jsView on unpkg
233// main.ts L234: var child_process = __toESM(require("child_process")); L235: var { binPath } = generateBinPath();
High
Child Process

Package source references child process execution.

dist/main.jsView on unpkg · L233
36// platform.ts L37: var fs = __toESM(require("fs")); L38: var os = __toESM(require("os"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/main.jsView on unpkg · L36
dist/install.jsView file
176fs.writeFileSync(path2.join(installDir, "package.json"), "{}"); L177: child_process.execSync( L178: `npm install --loglevel=error --prefer-offline --no-audit --progress=false ${pkg}@${versionFromPackageJSON}`, L179: { cwd: installDir, stdio: "pipe", env }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install.jsView on unpkg · L176

Findings

1 Critical3 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/main.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/main.js
HighRuntime Package Installdist/install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumTyposquat Namepackage.json
MediumDynamic Requiredist/main.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings