AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time or runtime attack surface is confirmed. The package distributes a large opaque metadata payload but has no declared executable entrypoint or lifecycle hook.
Static reason
No blocking static signals were detected.
Trigger
Installing or inspecting package metadata.
Impact
No direct execution is established; the opaque carrier could support a later external decoding or repackaging chain.
Mechanism
Inert opaque payload stored in package keywords.
Rationale
No direct malicious behavior can run from this package as shipped, but the unexplained opaque payload and absence of functionality warrant a warning rather than a clean verdict.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` contains a 69 KB opaque base64-like `keywords` payload.
- `index.js` is empty, leaving the package as metadata-only payload storage.
- The manifest describes itself only as `chunk 4.685.10`, with no stated functional interface.
Evidence against
- `package.json` has no `scripts` lifecycle hooks.
- No `main`, `bin`, `module`, `browser`, or dependencies are declared.
- No executable source, network endpoint, credential access, or file mutation was found.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` contains a 69 KB opaque base64-like `keywords` payload.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence