AI Security Review
scanned 2h ago · by lpm-firewall-aiNo executable attack path is present. The package ships a large opaque manifest-data blob that is inert within this package.
Static reason
No blocking static signals were detected.
Trigger
Package download or metadata inspection.
Impact
No runtime activation or concrete impact is established from package source alone.
Mechanism
Opaque base64-like data embedded in manifest keywords.
Rationale
The opaque payload-like metadata is unexplained and unsuitable for a normal npm package, but direct inspection found no executable malicious behavior. Treat as an inert staged-payload carrier rather than a publish-blocking compromise.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` contains ~69 KB of opaque base64-like keyword data.
- Package has no apparent declared functionality beyond an empty `index.js`.
Evidence against
- `package.json` has no lifecycle scripts, dependencies, bin, or entrypoint overrides.
- `index.js` is empty; no install-time or import-time code exists.
- No network endpoints, shell execution, credential access, file writes, or dynamic execution found.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` contains ~69 KB of opaque base64-like keyword data.
package.jsonView on unpkgFindings
2 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence