AI Security Review
scanned 2h ago · by lpm-firewall-aiNo active runtime or install-time attack path is present. The package is an inert carrier for a large opaque binary payload embedded in metadata.
Static reason
No blocking static signals were detected.
Trigger
None observed; npm installation only reads the manifest.
Impact
No confirmed execution or exfiltration, but the concealed payload is unexplained and could support later-stage abuse if activated elsewhere.
Mechanism
Opaque staged payload concealed in manifest keywords.
Rationale
Source inspection found no trigger for execution, but the deliberately concealed, nonfunctional binary payload is an unresolved supply-chain risk. Warn rather than block because no concrete malicious behavior can execute from this package as shipped.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` stores 274 opaque base64-like keyword fragments totaling 68,268 characters.
- The concatenated keyword data decodes to 51 KB of unrecognized binary data, not normal package metadata.
- The payload is hidden in `keywords`, a metadata field unrelated to package functionality.
Evidence against
- `package.json` has no lifecycle scripts, dependencies, bin, main, module, or browser entrypoint.
- `index.js` exists but is empty.
- No executable source, network endpoint, credential access, shell execution, or file mutation was found.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` stores 274 opaque base64-like keyword fragments totaling 68,268 characters.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumAi Review Evidence