AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time or runtime execution path is present. `package.json` nevertheless conceals a 51,200-byte opaque binary payload in metadata, making it an inert staged-payload carrier.
Static reason
No blocking static signals were detected.
Trigger
No declared lifecycle or runtime trigger; the payload is present in package metadata.
Impact
No active behavior is established, but the unexplained payload is unsuitable for a clean upstream package.
Mechanism
opaque binary payload concealed in manifest keywords
Rationale
No concrete malicious execution chain exists, so blocking is not supported. The large concealed binary metadata payload is unexplained and materially suspicious.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` stores 274 opaque base64-like keyword fragments totaling 68,268 characters.
- Concatenating and decoding those fragments yields a 51,200-byte untyped binary blob.
- The package description calls this a “chunk,” but no source consumes or documents the embedded payload.
Evidence against
- `package.json` has no lifecycle scripts, dependencies, bin, or explicit entrypoint.
- `index.js` is empty; the package contains no executable source, network logic, or file operations.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` stores 274 opaque base64-like keyword fragments totaling 68,268 characters.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence