AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time or runtime execution path is present. `package.json` nevertheless carries an opaque binary payload in metadata, making it an inert staged-payload carrier.
Static reason
No blocking static signals were detected.
Trigger
No package-defined trigger; npm install and import have no package code to execute.
Impact
No active compromise is confirmed; an external consumer could retrieve the embedded data.
Mechanism
Opaque base64-concatenated binary embedded in metadata.
Rationale
No concrete execution or exfiltration chain exists, but the manifest embeds a substantial opaque binary payload with no legitimate implementation around it. Treat it as suspicious rather than clean.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` contains 274 opaque high-entropy keyword strings.
- Concatenated keywords base64-decode to 51 KB of untyped binary data.
- The opaque binary is embedded in package metadata without a stated package purpose.
Evidence against
- `index.js` is empty.
- `package.json` has no lifecycle scripts, dependencies, bin, main, module, exports, or browser entrypoint.
- No URLs, shell execution, filesystem mutation, credential access, or network code appears in the two shipped files.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` contains 274 opaque high-entropy keyword strings.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence