AI Security Review
scanned 3h ago · by lpm-firewall-aiNo executable install-time or runtime attack path is established. The package is an inert carrier for a large opaque payload hidden in `keywords`.
Static reason
No blocking static signals were detected.
Trigger
None identified; npm metadata parsing does not execute the keyword payload.
Impact
Potential staged-payload distribution, but no local execution or exfiltration chain is present.
Mechanism
Opaque binary payload embedded in package metadata.
Rationale
The opaque encoded metadata is highly anomalous and has no legitimate package function shown by source. Because no execution chain is present, it warrants a warning rather than a publish block.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` stores 274 base64-like keyword strings totaling 68,268 characters.
- The concatenated keywords decode to 51,201 bytes of opaque binary data.
- `index.js` is empty; package payload is concealed in manifest metadata.
Evidence against
- `package.json` has no `scripts`, `main`, `bin`, dependencies, or other executable entrypoint.
- No lifecycle hook, network endpoint, shell execution, file access, or credential handling is present.
- No source code consumes or decodes the manifest payload at install or runtime.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` stores 274 base64-like keyword strings totaling 68,268 characters.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence