AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time or runtime execution path is present. The only substantive content is an opaque binary payload embedded in package metadata.
Static reason
No blocking static signals were detected.
Trigger
None in the published package; a separate loader would be required.
Impact
No active impact is demonstrated, but the hidden payload is unexplained and unsuitable for a functional package.
Mechanism
Inert opaque payload carrier in package.json keywords.
Rationale
No concrete malicious execution chain exists, so blocking is not justified. The unexplained opaque payload warrants a warning rather than a clean verdict.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json stores 274 base64-like keyword strings totaling 51,200 decoded bytes.
- The decoded data has no recognized file signature and is opaque binary.
- The package has no apparent functional implementation beyond this opaque metadata.
Evidence against
- package.json has no scripts, bin, main, module, browser, or dependencies.
- index.js exists but is empty.
- No executable source, network endpoint, credential access, shell use, or agent-control writes are present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json stores 274 base64-like keyword strings totaling 51,200 decoded bytes.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence