registry  /  node-fsagent  /  4.685.57

node-fsagent@4.685.57

chunk 4.685.57

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No active code path is present. `package.json` carries a large opaque binary payload in metadata, but no package file executes or consumes it.

Static reason
No blocking static signals were detected.
Trigger
None found
Impact
No confirmed install-time, runtime, persistence, exfiltration, or destructive behavior.
Mechanism
Inert opaque payload stored in manifest keywords
Rationale
Source inspection confirms no executable attack surface, but the unusually large opaque binary metadata is unresolved and inconsistent with ordinary npm package metadata. Warn rather than block because no activation mechanism is present.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • `package.json` stores 68,268 characters of Base64-like opaque data in 274 `keywords` entries.
  • Decoding the joined metadata yields unclassified binary data, not readable package source.
  • `index.js` is empty, so the payload has no in-package loader or decoder.
Evidence against
  • `package.json` has no `scripts`, `main`, `module`, `browser`, `bin`, or `exports` entrypoint.
  • No dependencies, network endpoints, subprocess use, credential access, file mutation, or install-time code exists in inspected files.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`package.json` stores 68,268 characters of Base64-like opaque data in 274 `keywords` entries.

package.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence