registry  /  node-fsagent  /  4.685.1

node-fsagent@4.685.1

chunk 4.685.1

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No executable attack path is present in the extracted package. The only suspicious artifact is an inert opaque metadata payload.

Static reason
No blocking static signals were detected.
Trigger
None in the inspected package; no install or import code is defined.
Impact
No confirmed runtime impact; metadata could support later staging outside this package.
Mechanism
opaque payload carried in manifest keywords
Rationale
The package lacks a concrete malicious execution chain, so blocking is not supported. Its unexplained high-volume opaque metadata is a real staged-payload risk and merits a warning.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Unknown with low false-positive risk.
Evidence for warning
  • `package.json` stores a ~69 KB opaque base64-like payload in `keywords`.
  • The package description is generic (`chunk 4.685.1`) and does not explain the payload.
Evidence against
  • `index.js` is empty.
  • `package.json` has no lifecycle scripts, bin, main, module, browser, or dependencies.
  • No executable source, network endpoint, credential access, file mutation, or shell invocation was found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`package.json` stores a ~69 KB opaque base64-like payload in `keywords`.

package.jsonView on unpkg

Findings

2 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence