AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time or runtime execution path is present. The manifest contains a large opaque metadata payload, creating an inert carrier risk but no confirmed active attack surface.
Static reason
No blocking static signals were detected.
Trigger
None observed
Impact
Potential staging or downstream parser risk; no active behavior confirmed
Mechanism
Opaque payload embedded in package metadata
Rationale
No concrete malicious execution, persistence, exfiltration, or install-time mutation was found. The anomalously large opaque manifest payload warrants a warning as a staged payload carrier rather than a block.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` is 682744 bytes despite only metadata.
- `package.json` stores an unusually large opaque encoded-looking `description` value.
- `index.js` is empty; the opaque data is currently inert.
Evidence against
- `package.json` has no `scripts` or lifecycle hooks.
- No `main`, `module`, `browser`, or `bin` entrypoint is declared.
- No dependencies, network endpoints, executable code, or file operations were found.
- `index.js` is zero bytes.
Behavioral surface
Trivial
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
•Published source reference
Medium
Ai Review Evidence
`package.json` stores an unusually large opaque encoded-looking `description` value.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidencepackage.json
MediumAi Review Evidence