AI Security Review
scanned 3h ago · by lpm-firewall-aiNo active install-time or runtime attack path is established. The package is an inert opaque payload carrier embedded in manifest metadata.
Static reason
No blocking static signals were detected.
Trigger
None established; payload is only present when package metadata is read.
Impact
Potential staging or distribution of concealed data; no executed malicious behavior is evidenced.
Mechanism
Opaque encoded data embedded in `package.json` keywords
Rationale
The concealed 69 KB metadata payload is unjustified and unsafe to treat as clean, but direct inspection finds no concrete malicious execution behavior. Downgrade to warning for staged-payload risk.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` stores a 69 KB opaque base64-like blob in `keywords`.
- Package description is generic: `chunk 4.685.60`.
- Metadata payload is concealed rather than usable package documentation.
Evidence against
- Only `package.json` and `index.js` are present.
- `index.js` is empty.
- `package.json` has no lifecycle scripts, dependencies, `bin`, or entrypoint fields.
- No executable source, network endpoint, credential access, or filesystem mutation is present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` stores a 69 KB opaque base64-like blob in `keywords`.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence