AI Security Review
scanned 1h ago · by lpm-firewall-aiNo executable attack path is established. The package is an inert carrier for a large opaque metadata payload, which is anomalous but not executed by this package.
Static reason
No blocking static signals were detected.
Trigger
None confirmed; importing the default empty `index.js` performs no action.
Impact
No confirmed runtime impact; downstream metadata processing may expose the inert payload.
Mechanism
Opaque payload stored only in manifest keywords.
Rationale
The metadata payload is materially anomalous and unjustified, but direct source inspection found no execution or exfiltration chain. Warn rather than block because the payload is inert in this package.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` contains 69 KB of opaque base64-like data in `keywords`.
- `package.json` has only metadata fields; the opaque data is not referenced by package code.
Evidence against
- `index.js` exists but is empty (0 bytes).
- `package.json` defines no lifecycle scripts, entrypoints, binaries, dependencies, or configuration.
- No network, shell, filesystem, credential, dynamic-code, or agent-control APIs exist in the package files.
Behavioral surface
Trivial
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` contains 69 KB of opaque base64-like data in `keywords`.
package.jsonView on unpkg•Published source reference
Medium
Ai Review Evidence
`package.json` has only metadata fields; the opaque data is not referenced by package code.
package.jsonView on unpkgFindings
2 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidencepackage.json