AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time or runtime attack surface is currently reachable. `package.json` contains an anomalous inert binary payload in metadata, but no code path loads or executes it.
Static reason
No blocking static signals were detected.
Trigger
None confirmed.
Impact
No demonstrated impact; the payload could be intended for later-stage use outside this package.
Mechanism
Opaque metadata payload with no declared consumer.
Rationale
No concrete malicious execution behavior exists in the inspected source, so blocking is not justified. The unusually large opaque metadata payload remains a real unresolved supply-chain risk and warrants a warning.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` stores a 682,668-character opaque base64-like description.
- Decoded description is 512 KB of unstructured binary data.
- `index.js` is empty; the blob has no package execution path.
Evidence against
- `package.json` has no lifecycle scripts.
- No `main`, `bin`, module, browser, dependencies, or optional dependencies are declared.
- No executable source, network endpoint, credential access, shell use, or persistence code is present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` stores a 682,668-character opaque base64-like description.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence