AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package performs runtime self-update/setup for its Nexus client extension from unpkg. This is package-aligned but bypasses the installed npm version at runtime, so it is a platform extension lifecycle risk rather than confirmed malware.
Decision evidence
public snapshot- dist/nexGear.min.js import-time startUp calls updateNxs()
- updateNxs fetches https://unpkg.com/nexgear/nexGear4.nxs with no-store
- fetched JSON is applied via nexusclient.packages().get("nexGear4").apply(...)
- dist/nexGear3.nxs and dist/nexGear4.nxs onInstall dynamically import https://unpkg.com/nexgear/dist/nexGear.min.js
- package.json has no preinstall/install/postinstall lifecycle hooks
- network endpoints are package-aligned unpkg/nexgear and Nexus Unleashed metadata
- No child_process, filesystem, credential/env harvesting, or cookie access found
- Runtime behavior is a gear manager UI for Nexus/Achaea using nexusclient variables and commands
- No exfiltration endpoint or destructive behavior identified
Source & flagged code
2 flagged · loading sourcedist/nexGear.min.js import-time startUp calls updateNxs()
dist/nexGear.min.jsView on unpkgdist/nexGear3.nxs and dist/nexGear4.nxs onInstall dynamically import https://unpkg.com/nexgear/dist/nexGear.min.js
unpkg.com/nexgear/dist/nexGear.min.jsView on unpkg