AI Security Review
scanned 3h ago · by lpm-firewall-aiNo executable attack surface activates during install or import: there are no lifecycle scripts and `index.js` is empty. The package is an inert opaque binary carrier embedded in manifest keywords.
Static reason
No blocking static signals were detected.
Trigger
External extraction of manifest keyword data; no package-controlled install or runtime trigger.
Impact
No direct impact in this version alone; the unexplained payload can be recovered for external use.
Mechanism
Opaque base64-encoded binary staged in package metadata.
Rationale
The package has no functional code or activation path, but carries a substantial unexplained binary payload in metadata. Flag as suspicious rather than block because concrete malicious execution, exfiltration, or persistence is absent.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` contains 274 opaque base64-like strings totaling 68,268 characters in `keywords`.
- Concatenated decoded data is unidentified binary, with no meaningful text payload.
- The generic description and metadata-only binary blob provide no legitimate package function.
Evidence against
- `index.js` is empty.
- `package.json` has only name, version, license, description, and keywords; no scripts, entrypoints, bin, exports, or dependencies.
- No install/import execution, network endpoints, credential access, shell use, filesystem mutation, or AI-agent control paths exist.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` contains 274 opaque base64-like strings totaling 68,268 characters in `keywords`.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence