AI Security Review
scanned 3h ago · by lpm-firewall-aiA prepare lifecycle command can modify the enclosing Git repository's `core.hooksPath`. No hook payload, exfiltration, remote payload, or import-time execution is present in the published files.
Static reason
No blocking static signals were detected.
Trigger
npm prepare lifecycle execution, typically when installing from a Git source or local checkout
Impact
Can alter the consumer repository's Git hook configuration; no further payload is included.
Mechanism
Git hook-path configuration mutation
Rationale
This is a prepare-only VCS hook configuration mutation, which requires a warn verdict under the supplied policy. Source inspection found no concrete malicious chain beyond that mutation.
Evidence
package.jsondist/transport/index.jsdist/index.js.githooks
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Benign with low false-positive risk.
Evidence for warning
- `package.json` `prepare` runs `git config core.hooksPath .githooks || true`.
- The package does not include `.githooks`, so the hook-path mutation has no published hook payload.
Evidence against
- No `preinstall`, `install`, or `postinstall` lifecycle hook.
- Published `dist` imports only local bundle modules.
- No child-process, eval, filesystem harvesting, environment access, or hard-coded endpoint found in `dist`.
- `HttpTransport` and `WebSocketTransport` use caller-provided URLs and activate through explicit transport operations.
Behavioral surface
ChildProcessShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` `prepare` runs `git config core.hooksPath .githooks || true`.
package.jsonView on unpkgFindings
2 Medium3 Low
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings