AI Security Review
scanned 2h ago · by lpm-firewall-aiNo package-triggered execution path is present. package.json carries a large opaque binary blob in metadata; the package itself does not decode or execute it.
Static reason
No blocking static signals were detected.
Trigger
No install-time or runtime trigger exists within this package.
Impact
Inert in this package, but suspicious as a staged payload carrier if consumed by external code.
Mechanism
opaque binary payload embedded in manifest keywords
Rationale
Static inspection found no active malicious behavior, but the large opaque binary hidden in manifest keywords has no package-aligned purpose. Warn rather than block because it is inert without an external consumer.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json stores 274 base64 fragments totaling 68,268 characters in keywords.
- Concatenated keywords decode to opaque binary data with no recognized file signature.
- The package is effectively an inert opaque-payload carrier, not a normal library.
Evidence against
- package.json has no scripts, dependencies, bin, main, module, browser, or exports entrypoint.
- index.js is empty.
- No URLs, network code, credential access, shell execution, or filesystem mutation source exists.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json stores 274 base64 fragments totaling 68,268 characters in keywords.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence