AI Security Review
scanned 1h ago · by lpm-firewall-aiNo install-time or runtime code path executes in this package. The only unusual content is a large opaque binary payload embedded in package.json keywords, which is not referenced by code.
Static reason
No blocking static signals were detected.
Trigger
No package action activates the payload; it remains inert in package metadata.
Impact
Could stage non-inspectable data for an external consumer, but this package contains no loader or execution chain.
Mechanism
Opaque high-entropy payload carrier in metadata
Rationale
Source inspection found no executable behavior or concrete attack chain, but the unusually large opaque metadata payload is an unresolved staged-payload risk. Warn rather than block because it is inert and has no activation path in the package.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- package.json contains 274 Base64-like keyword chunks totaling 51,200 decoded bytes.
- Decoded keyword data is opaque high-entropy binary (7.9948 bits/byte), not normal package metadata.
- The declared description is "chunk 4.685.42", consistent with an inert data carrier rather than a usable fs agent.
Evidence against
- package.json has no scripts, bin, main, module, browser, or dependencies.
- index.js exists but is empty; there is no executable package source.
- No URLs, credential access, filesystem actions, shell execution, or AI-agent configuration logic were found.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json contains 274 Base64-like keyword chunks totaling 51,200 decoded bytes.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence