AI Security Review
scanned 1h ago · by lpm-firewall-aiNo active execution path is present in the inspected package. package.json embeds a 51,200-byte opaque binary payload in keywords, but no package code consumes it.
Static reason
No blocking static signals were detected.
Trigger
None identified from install or runtime package configuration.
Impact
Payload is currently non-executable, but it is unexplained and could be used as staged content by another component.
Mechanism
Inert opaque payload carrier embedded in manifest metadata.
Rationale
Source inspection found no executing code or direct malicious action, but the unexplained 51,200-byte opaque manifest payload is a real unresolved risk. Warn rather than block because no automatic execution or exfiltration path is present.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json contains 274 base64-like keyword strings totaling 68,268 characters.
- The concatenated metadata decodes to 51,200 bytes of high-entropy data with no recognizable signature or meaningful printable content.
- The package description labels it a “chunk,” consistent with an inert opaque payload carrier.
Evidence against
- package.json has no lifecycle scripts, entrypoint, bin, dependencies, or other executable configuration.
- index.js exists but is empty.
- No network endpoint, file write, shell execution, credential access, or import-time code is present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json contains 274 base64-like keyword strings totaling 68,268 characters.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence