AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time or runtime execution path is established. The package carries an opaque binary blob in metadata, creating unresolved supply-chain payload-carrier risk.
Static reason
No blocking static signals were detected.
Trigger
Package installation or metadata retrieval; no executable trigger is declared.
Impact
No direct compromise is evidenced, but the unexplained carrier is unsuitable for a clean verdict.
Mechanism
Opaque base64-encoded binary stored in npm keywords.
Rationale
Source inspection found no execution or exfiltration behavior, but the unexplained binary payload embedded in metadata is a real unresolved supply-chain risk. Downgrade to warn rather than block.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` stores 68,268 base64 characters across 274 `keywords` values.
- Joined `keywords` decode to opaque binary data with no recognizable file signature.
- The package description calls it a "chunk," consistent with inert payload storage.
- `index.js` is empty, so the opaque data has no visible package-local consumer.
Evidence against
- `package.json` has no `scripts` lifecycle hooks.
- No `main`, `module`, `browser`, or `bin` entrypoint is declared.
- No dependencies, network endpoints, credential access, or shell execution are declared.
- Only `package.json` and an empty `index.js` are present.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` stores 68,268 base64 characters across 274 `keywords` values.
package.jsonView on unpkgFindings
4 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence