registry  /  node-fsagent  /  3.69.35

node-fsagent@3.69.35

/HmGMkGp4DVm9uHG+QEMRbJ0DitOvn0u/lk4Yz+9Fp6LCMtD6rhFVX4XlxXzTSws4qq8hZ1MGA3eM21g5FPuy2N+MEzK9Lbq32QAV4Kt+r2NkYGDGliFIm5WnjuBCYynjeNIxaTBp8QBQg+k5AAVgzUkFtCmST+0CP60VaEXOgHcm5NA5C37StCBzwyYnKugIgIKFZlKMrfolzFYnVhuGM5Xgm0BHYJSdocSncJax8zUcKvS81d5bQ0eZsyiGel

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No executable install-time or runtime attack path is established. The package is an inert opaque payload carrier: its only substantive content is a very large encoded description field.

Static reason
No blocking static signals were detected.
Trigger
None confirmed; package installation has no lifecycle hook and imports have no implementation.
Impact
No direct execution, exfiltration, persistence, or destructive behavior is present in the inspected package.
Mechanism
Opaque high-entropy data embedded in package metadata.
Rationale
Direct source inspection found no concrete malicious behavior, but the package is an inert opaque payload carrier with no legitimate functional source. Flag as suspicious rather than malicious because no install-time or runtime execution path exists.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` contains a 682,668-character base64-like opaque description field.
  • Decoded description bytes begin with high-entropy non-text data; no interpretable source or package purpose is provided.
  • `index.js` is empty, leaving no functional implementation behind the package name.
Evidence against
  • `package.json` has only name, version, license, and description fields.
  • No `preinstall`, `install`, `postinstall`, or other lifecycle scripts are declared.
  • No main/module/bin entrypoint, dependencies, network endpoints, or executable source were found.
  • Direct inspection found no credential harvesting, shell execution, filesystem mutation, or AI-agent control-surface writes.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`package.json` contains a 682,668-character base64-like opaque description field.

package.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence