AI Security Review
scanned 3h ago · by lpm-firewall-aiNo executable attack path is present in the extracted package. The only suspicious artifact is an inert opaque metadata payload.
Static reason
No blocking static signals were detected.
Trigger
None in the inspected package; no install or import code is defined.
Impact
No confirmed runtime impact; metadata could support later staging outside this package.
Mechanism
opaque payload carried in manifest keywords
Rationale
The package lacks a concrete malicious execution chain, so blocking is not supported. Its unexplained high-volume opaque metadata is a real staged-payload risk and merits a warning.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` stores a ~69 KB opaque base64-like payload in `keywords`.
- The package description is generic (`chunk 4.685.1`) and does not explain the payload.
Evidence against
- `index.js` is empty.
- `package.json` has no lifecycle scripts, bin, main, module, browser, or dependencies.
- No executable source, network endpoint, credential access, file mutation, or shell invocation was found.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` stores a ~69 KB opaque base64-like payload in `keywords`.
package.jsonView on unpkgFindings
2 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence