AI Security Review
scanned 2h ago · by lpm-firewall-aiNo executable attack path is established. The package ships an opaque binary payload in metadata but no package code or manifest entrypoint consumes it.
Static reason
No blocking static signals were detected.
Trigger
None identified.
Impact
No activated behavior observed; the hidden payload is unexplained.
Mechanism
Inert opaque payload carrier in package metadata.
Rationale
No concrete malicious behavior can run from the inspected source, but the metadata-only opaque payload is abnormal and unresolved. Treat as a warning rather than a block.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- package.json contains 274 base64-like keyword strings totaling 68,268 characters.
- Concatenated keywords decode to opaque binary data with no recognizable header or useful strings.
- index.js is empty; no source consumes the embedded data.
Evidence against
- package.json has no scripts, bin, main, module, browser, or dependencies.
- The package contains only package.json and an empty index.js.
- No install-time hook, network endpoint, file access, shell execution, or credential handling is present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json contains 274 base64-like keyword strings totaling 68,268 characters.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence