registry  /  node-fsagent  /  4.685.39

node-fsagent@4.685.39

chunk 4.685.39

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No executable attack path is present. The manifest carries a 51,200-byte opaque payload in `keywords`, making it an inert staged-payload carrier.

Static reason
No blocking static signals were detected.
Trigger
Package metadata is installed or inspected; no package action executes the payload.
Impact
No confirmed runtime impact; hidden payload could support later distribution or analysis evasion.
Mechanism
Opaque base64-encoded binary data embedded in manifest keywords.
Rationale
Source inspection finds no executable malicious behavior, but the manifest contains a large opaque hidden payload unrelated to package functionality. Downgrade to warn as a staged-payload carrier.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Unknown with low false-positive risk.
Evidence for warning
  • `package.json` stores 274 base64-like keyword strings.
  • Concatenated keywords decode to 51,200 bytes of opaque binary data.
  • The opaque payload is not a normal npm keyword set or documented package source.
Evidence against
  • `package.json` has no lifecycle scripts, dependencies, bin, or runtime entrypoint.
  • `index.js` is empty.
  • No source code, network endpoint, credential access, shell execution, or file mutation is present.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`package.json` stores 274 base64-like keyword strings.

package.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence