registry  /  nexgear  /  0.3.1

nexgear@0.3.1

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package performs runtime self-update/setup for its Nexus client extension from unpkg. This is package-aligned but bypasses the installed npm version at runtime, so it is a platform extension lifecycle risk rather than confirmed malware.

Static reason
No blocking static signals were detected.
Trigger
Loading dist/nexGear.min.js in a Nexus client environment or installing the bundled .nxs package
Impact
Remote package-owned .nxs content can update the nexGear4 Nexus package configuration; no credential theft or destructive action was found.
Mechanism
runtime remote package-owned extension apply
Rationale
Static inspection found a real runtime remote-update mechanism for a package-owned Nexus extension, but no concrete malicious behavior, credential harvesting, destructive action, or npm install-time abuse. Treat as warn-level lifecycle risk rather than block-worthy malware.
Evidence
package.jsondist/nexGear.min.jsdist/nexGear3.nxsdist/nexGear4.nxsREADME.md
Network endpoints3
unpkg.com/nexgear/nexGear4.nxsunpkg.com/nexgear/dist/nexGear.min.jsnexusunleashed.github.io/nex-files/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/nexGear.min.js import-time startUp calls updateNxs()
  • updateNxs fetches https://unpkg.com/nexgear/nexGear4.nxs with no-store
  • fetched JSON is applied via nexusclient.packages().get("nexGear4").apply(...)
  • dist/nexGear3.nxs and dist/nexGear4.nxs onInstall dynamically import https://unpkg.com/nexgear/dist/nexGear.min.js
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • network endpoints are package-aligned unpkg/nexgear and Nexus Unleashed metadata
  • No child_process, filesystem, credential/env harvesting, or cookie access found
  • Runtime behavior is a gear manager UI for Nexus/Achaea using nexusclient variables and commands
  • No exfiltration endpoint or destructive behavior identified
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
Manifest
NoLicense
scanned 1 file(s), 110 KB of source, external domains: fb.me, unpkg.com

Source & flagged code

2 flagged · loading source
dist/nexGear.min.jsView file
Published source reference
Medium
Ai Review Evidence

dist/nexGear.min.js import-time startUp calls updateNxs()

dist/nexGear.min.jsView on unpkg
unpkg.com/nexgear/dist/nexGear.min.jsView file
Published source reference
Medium
Ai Review Evidence

dist/nexGear3.nxs and dist/nexGear4.nxs onInstall dynamically import https://unpkg.com/nexgear/dist/nexGear.min.js

unpkg.com/nexgear/dist/nexGear.min.jsView on unpkg

Findings

5 Medium4 Low
MediumNetwork
MediumAi Review Evidencedist/nexGear.min.js
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidenceunpkg.com/nexgear/dist/nexGear.min.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License