registry  /  node-fsagent  /  4.685.56

node-fsagent@4.685.56

chunk 4.685.56

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No package-triggered execution path is present. package.json carries a large opaque binary blob in metadata; the package itself does not decode or execute it.

Static reason
No blocking static signals were detected.
Trigger
No install-time or runtime trigger exists within this package.
Impact
Inert in this package, but suspicious as a staged payload carrier if consumed by external code.
Mechanism
opaque binary payload embedded in manifest keywords
Rationale
Static inspection found no active malicious behavior, but the large opaque binary hidden in manifest keywords has no package-aligned purpose. Warn rather than block because it is inert without an external consumer.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json stores 274 base64 fragments totaling 68,268 characters in keywords.
  • Concatenated keywords decode to opaque binary data with no recognized file signature.
  • The package is effectively an inert opaque-payload carrier, not a normal library.
Evidence against
  • package.json has no scripts, dependencies, bin, main, module, browser, or exports entrypoint.
  • index.js is empty.
  • No URLs, network code, credential access, shell execution, or filesystem mutation source exists.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

package.json stores 274 base64 fragments totaling 68,268 characters in keywords.

package.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence