registry  /  node-fsagent  /  4.685.66

node-fsagent@4.685.66

chunk 4.685.66

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No install-time or runtime execution path is present. `package.json` nevertheless carries an opaque binary payload in metadata, making it an inert staged-payload carrier.

Static reason
No blocking static signals were detected.
Trigger
No package-defined trigger; npm install and import have no package code to execute.
Impact
No active compromise is confirmed; an external consumer could retrieve the embedded data.
Mechanism
Opaque base64-concatenated binary embedded in metadata.
Rationale
No concrete execution or exfiltration chain exists, but the manifest embeds a substantial opaque binary payload with no legitimate implementation around it. Treat it as suspicious rather than clean.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • `package.json` contains 274 opaque high-entropy keyword strings.
  • Concatenated keywords base64-decode to 51 KB of untyped binary data.
  • The opaque binary is embedded in package metadata without a stated package purpose.
Evidence against
  • `index.js` is empty.
  • `package.json` has no lifecycle scripts, dependencies, bin, main, module, exports, or browser entrypoint.
  • No URLs, shell execution, filesystem mutation, credential access, or network code appears in the two shipped files.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`package.json` contains 274 opaque high-entropy keyword strings.

package.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence