AI Security Review
scanned 4d ago · by lpm-firewall-aiThe package exfiltrates host/user install telemetry during npm postinstall. This behavior is unrelated to the advertised date-string helper functionality.
Decision evidence
public snapshot- package.json defines postinstall: node postinstall.js
- postinstall.js runs automatically on install and sends HTTP callback
- postinstall.js collects whoami, hostname, platform, and node version
- postinstall.js executes whoami/id via child_process.execFile
- postinstall.js writes debug log to os.tmpdir()
- index.js only exports simple formatDate and hello helpers
- No package files beyond package.json, index.js, and postinstall.js were present
- No evidence of remote payload download or eval/vm/native loading
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
postinstall.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
postinstall.jsView on unpkg · L1Install-named source file stages remote content through filesystem writes and execution.
postinstall.jsView on unpkg · L1