AI Security Review
scanned 1h ago · by lpm-firewall-aiNo install-time or runtime code path is exposed. package.json carries a large opaque metadata payload, but no shipped code reads, decodes, executes, writes, or transmits it.
Static reason
No blocking static signals were detected.
Trigger
No declared install, import, or command trigger.
Impact
No confirmed execution, persistence, collection, or network impact from this package version.
Mechanism
Inert opaque payload stored in manifest keywords.
Rationale
There is no concrete malicious execution chain, but the manifest is primarily an opaque data carrier rather than a functional npm package. Warn rather than block because no activation mechanism is present.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- package.json stores 274 opaque base64-like keyword strings (68,268 characters).
- The package description labels the release as a "chunk" rather than describing functionality.
- The opaque content is an inert staged payload carrier in package metadata.
Evidence against
- package.json has only name, version, license, description, and keywords fields.
- No lifecycle scripts, entrypoints, bin, dependencies, or configuration are declared.
- index.js exists but is empty.
- Package directory contains only package.json and empty index.js; no executable payload path exists.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json stores 274 opaque base64-like keyword strings (68,268 characters).
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence