AI Security Review
scanned 3h ago · by lpm-firewall-aiNo executable attack surface is established: the only nonempty file is metadata containing opaque data. The encoded-looking keyword payload is inert within this package because no source or lifecycle hook consumes it.
Static reason
No blocking static signals were detected.
Trigger
None within this package.
Impact
No direct package-side execution or exfiltration confirmed; metadata could be staged for an external consumer.
Mechanism
Opaque metadata payload carrier without an execution path.
Rationale
No direct malicious execution chain exists, but the large encoded-looking metadata payload is unexplained and nonfunctional. Warn rather than block because it has no install-time or runtime execution path.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- package.json contains 274 opaque base64-like keyword strings totaling 68,268 characters.
- The manifest description labels the package a generic "chunk," consistent with inert data packaging.
Evidence against
- package.json has no lifecycle scripts, entrypoints, bin, dependencies, or publish/runtime configuration.
- index.js exists but is empty (0 bytes).
- The package contains only package.json and empty index.js; no executable source, binary, or install hook was found.
- No network endpoints, credential harvesting, shell execution, persistence, or AI-agent configuration writes were found.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json contains 274 opaque base64-like keyword strings totaling 68,268 characters.
package.jsonView on unpkgFindings
2 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence