registry  /  node-fsagent  /  4.685.51

node-fsagent@4.685.51

chunk 4.685.51

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No code executes during installation or import. The only notable surface is an inert, opaque metadata payload that an external consumer could retrieve and decode.

Static reason
No blocking static signals were detected.
Trigger
External tooling or a user reads and processes `package.json` keywords.
Impact
No concrete malicious action is implemented by this package alone.
Mechanism
Opaque payload staged in manifest keyword strings.
Rationale
Source inspection found no executable attack behavior, but the large opaque manifest payload is inconsistent with normal package keywords and has no package-aligned purpose. Treat it as an inert staged-payload carrier and warn rather than block.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • `package.json` is 69 KB and stores 274 opaque base64-like strings in `keywords`.
  • `package.json` has no functional metadata beyond identifying fields and the opaque keyword payload.
  • `index.js` exists but is empty, so the package provides no visible implementation for its stated name.
Evidence against
  • `package.json` defines no `preinstall`, `install`, `postinstall`, `prepare`, or other lifecycle scripts.
  • No entrypoint, binary, dependencies, network endpoints, shell use, or executable source was found.
  • No install-time or import-time mutation, harvesting, exfiltration, or remote execution is established.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`package.json` is 69 KB and stores 274 opaque base64-like strings in `keywords`.

package.jsonView on unpkg
Published source reference
Medium
Ai Review Evidence

`package.json` has no functional metadata beyond identifying fields and the opaque keyword payload.

package.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidencepackage.json
MediumAi Review Evidence