AI Security Review
scanned 1h ago · by lpm-firewall-aiNo executable attack path is present. The manifest carries a 51,200-byte opaque payload in `keywords`, making it an inert staged-payload carrier.
Static reason
No blocking static signals were detected.
Trigger
Package metadata is installed or inspected; no package action executes the payload.
Impact
No confirmed runtime impact; hidden payload could support later distribution or analysis evasion.
Mechanism
Opaque base64-encoded binary data embedded in manifest keywords.
Rationale
Source inspection finds no executable malicious behavior, but the manifest contains a large opaque hidden payload unrelated to package functionality. Downgrade to warn as a staged-payload carrier.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` stores 274 base64-like keyword strings.
- Concatenated keywords decode to 51,200 bytes of opaque binary data.
- The opaque payload is not a normal npm keyword set or documented package source.
Evidence against
- `package.json` has no lifecycle scripts, dependencies, bin, or runtime entrypoint.
- `index.js` is empty.
- No source code, network endpoint, credential access, shell execution, or file mutation is present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Findings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence