registry  /  node-fsagent  /  4.685.50

node-fsagent@4.685.50

chunk 4.685.50

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No active execution path is present in the packaged files. package.json carries a large opaque binary payload disguised as keywords, but nothing triggers it.

Static reason
No blocking static signals were detected.
Trigger
None in this package version.
Impact
No confirmed runtime impact; payload could enable a later staged delivery chain.
Mechanism
Inert opaque payload carrier in manifest metadata.
Rationale
No concrete malicious behavior executes, but the concealed binary manifest payload is an unexplained staged-payload indicator. Warn to preserve evidence without claiming an active attack.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json stores a 51 KB base64 blob across 274 opaque keyword strings.
  • Decoded keyword data is unrecognized binary with no readable payload text.
  • The declared package contains no functional implementation; index.js is empty.
Evidence against
  • package.json has no scripts, bin, main, dependencies, or install hooks.
  • No executable source, network endpoint, file access, shell use, or credential handling is present.
  • No package code references or decodes the keyword blob.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

package.json stores a 51 KB base64 blob across 274 opaque keyword strings.

package.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence