AI Security Review
scanned 1h ago · by lpm-firewall-aiNo active attack surface is established. The manifest carries opaque binary data in `keywords`, but no package code loads or executes it.
Static reason
No blocking static signals were detected.
Trigger
No install or runtime trigger present.
Impact
No observed execution or exfiltration; payload is an unexplained staged carrier.
Mechanism
Inert opaque binary payload embedded in manifest metadata.
Rationale
No concrete malicious behavior executes in this package. The unexplained opaque payload is incompatible with a clean package and is flagged as a staged payload carrier.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` has 274 opaque base64-like keyword strings.
- Concatenated keywords decode to unrecognized binary data.
- `index.js` is empty; the payload is inert in this package.
Evidence against
- `package.json` defines no lifecycle scripts.
- No `main`, `bin`, module, or dependency entrypoints exist.
- No source invokes network, shell, filesystem, or dynamic execution APIs.
- No install-time or import-time code is present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` has 274 opaque base64-like keyword strings.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence