AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package stores a large opaque binary payload in manifest metadata. No install-time or runtime trigger executes or decodes it.
Static reason
No blocking static signals were detected.
Trigger
None declared by the package.
Impact
No active malicious behavior is established from the extracted source.
Mechanism
Inert opaque metadata payload carrier
Rationale
Source inspection found no concrete execution, exfiltration, persistence, or destructive chain. The opaque metadata is suspicious and not package-aligned, so flag it as an inert payload carrier.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` embeds a 682,668-character opaque base64-like `description`.
- The decoded description is undetermined binary data, not normal package metadata.
- The payload has no declared package execution path.
Evidence against
- `package.json` declares no scripts, bin, main, exports, or dependencies.
- `index.js` is present but empty.
- No executable source accesses credentials, network, shell, or agent-control files.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` embeds a 682,668-character opaque base64-like `description`.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence