AI Security Review
scanned 3h ago · by lpm-firewall-aiNo executable attack path is currently wired into installation or runtime. `package.json` contains an inert opaque 51,200-byte payload embedded in keywords, making it a staged-payload carrier.
Static reason
No blocking static signals were detected.
Trigger
No current trigger; the payload is not referenced by executable package code.
Impact
No observed execution or exfiltration, but concealed payload could support a later malicious release or loader.
Mechanism
Opaque high-entropy Base64 data concealed in manifest keywords.
Rationale
Source inspection finds no active malicious behavior, but a large opaque payload concealed in `package.json` is inconsistent with a benign empty package. Treat as a non-blocking staged-payload carrier.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` stores 274 Base64-only keyword strings.
- Concatenated keywords decode to 51,200 bytes of high-entropy opaque data.
- The opaque payload has no package-aligned functional purpose or source reference.
Evidence against
- `package.json` has no lifecycle scripts, entrypoints, bin, or dependencies.
- `index.js` exists but is empty.
- No network, shell, credential, filesystem-write, or agent-control code is present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Findings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence