registry  /  nuwax-cli  /  1.0.130

nuwax-cli@1.0.130

Docker service management and upgrade CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

On npm install, the package downloads and extracts a platform-specific native archive. On CLI use, it executes that extracted binary. The JavaScript source does not verify archive integrity.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` downloads the archive; invoking `nuwax-cli` executes it.
Impact
A compromised artifact host or altered archive can supply executable code outside the reviewed package source.
Mechanism
remote native payload download, extraction, and later execution
Rationale
The source is a remote native-binary bootstrapper with no artifact integrity verification. That is a real unresolved staged-payload risk, not evidence of direct malicious behavior.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-nuwax-cli.jsnode_modules/.bin_real
Network endpoints1
nuwa-packages.oss-rg-china-mainland.aliyuncs.com/nuwax-cli/v1.0.130

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Unknown with low false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall`.
  • `binary-install.js` downloads a platform archive from a remote host.
  • Downloaded archives have no checksum or signature verification.
  • `run-nuwax-cli.js` executes the extracted native binary.
Evidence against
  • URL and binary names are fixed by package metadata.
  • Installer writes only its own `node_modules/.bin_real` directory.
  • No credential harvesting, exfiltration, AI-agent mutation, eval, or shell payload is present.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings