registry  /  nexgear  /  0.3.3

nexgear@0.3.3

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malware was confirmed, but the package has a runtime extension lifecycle surface in Nexus: loading the bundle can update/apply a nexGear3 Nexus package from unpkg. This is package-aligned but modifies client reflex/package state.

Static reason
No blocking static signals were detected.
Trigger
Importing/loading dist/nexGear.min.js in a browser/Nexus client or installing/loading dist/nexGear3.nxs.
Impact
Could change nexGear3 Nexus reflexes/variables and issue gear-related in-game commands; no exfiltration or destructive host behavior found.
Mechanism
package-owned Nexus extension auto-update and gear-manager command automation
Rationale
Static source inspection found package-owned Nexus extension setup and auto-update behavior, which warrants a warn-level lifecycle risk, but no concrete malicious payload or exfiltration chain. There are no npm install hooks, so this should not be publish-blocked as install-time hijack.
Evidence
package.jsondist/nexGear.min.jsdist/nexGear3.nxsREADME.md
Network endpoints3
unpkg.com/nexgear/nexGear3.nxsunpkg.com/nexgear/dist/nexGear.min.jsnexusunleashed.github.io/nex-files/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/nexGear.min.js auto-fetches https://unpkg.com/nexgear/nexGear3.nxs at runtime when nexusclient exists and applies it to nexusclient packages().get('nexGear3').
  • dist/nexGear3.nxs onInstall runs SystemLoaded, which dynamically imports https://unpkg.com/nexgear/dist/nexGear.min.js.
  • dist/nexGear3.nxs defines Nexus aliases/triggers that send in-game gear commands and update nexusclient.variables().vars.nexGear.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and no bin entrypoint.
  • Network endpoints are package-aligned unpkg URLs for nexgear assets, not arbitrary exfiltration hosts.
  • Inspected source shows UI/gear-manager behavior for Achaea Nexus, with no credential/env/file harvesting or shell execution.
  • State changes are limited to DOM modal creation, nexusclient variables/reflexes, and in-game gear command automation.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
Manifest
NoLicense
scanned 1 file(s), 106 KB of source, external domains: fb.me, unpkg.com

Source & flagged code

2 flagged · loading source
dist/nexGear.min.jsView file
Published source reference
Medium
Ai Review Evidence

dist/nexGear.min.js auto-fetches https://unpkg.com/nexgear/nexGear3.nxs at runtime when nexusclient exists and applies it to nexusclient packages().get('nexGear3').

dist/nexGear.min.jsView on unpkg
unpkg.com/nexgear/dist/nexGear.min.jsView file
Published source reference
Medium
Ai Review Evidence

dist/nexGear3.nxs onInstall runs SystemLoaded, which dynamically imports https://unpkg.com/nexgear/dist/nexGear.min.js.

unpkg.com/nexgear/dist/nexGear.min.jsView on unpkg

Findings

4 Medium4 Low
MediumNetwork
MediumAi Review Evidencedist/nexGear.min.js
MediumAi Review Evidenceunpkg.com/nexgear/dist/nexGear.min.js
MediumAi Review Evidence
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License