registry  /  node-fsagent  /  4.685.60

node-fsagent@4.685.60

chunk 4.685.60

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No active install-time or runtime attack path is established. The package is an inert opaque payload carrier embedded in manifest metadata.

Static reason
No blocking static signals were detected.
Trigger
None established; payload is only present when package metadata is read.
Impact
Potential staging or distribution of concealed data; no executed malicious behavior is evidenced.
Mechanism
Opaque encoded data embedded in `package.json` keywords
Rationale
The concealed 69 KB metadata payload is unjustified and unsafe to treat as clean, but direct inspection finds no concrete malicious execution behavior. Downgrade to warning for staged-payload risk.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` stores a 69 KB opaque base64-like blob in `keywords`.
  • Package description is generic: `chunk 4.685.60`.
  • Metadata payload is concealed rather than usable package documentation.
Evidence against
  • Only `package.json` and `index.js` are present.
  • `index.js` is empty.
  • `package.json` has no lifecycle scripts, dependencies, `bin`, or entrypoint fields.
  • No executable source, network endpoint, credential access, or filesystem mutation is present.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`package.json` stores a 69 KB opaque base64-like blob in `keywords`.

package.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence