AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked SaaS scanner CLI that reads project source for static analysis, writes .periderm reports, and can upload scan metadata/findings to Periderm endpoints after authentication.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs periderm login, scan, review, watch, whoami, or logout.
Impact
Expected project findings/report data may be written locally or sent to service APIs; no install-time execution, credential harvesting, destructive behavior, or hidden code execution was found.
Mechanism
Static project scanner with authenticated dashboard upload, update check, and crash reporting.
Rationale
Static inspection shows scanner/file/network primitives are aligned with the documented CLI workflow and require explicit user commands, with no lifecycle execution or covert payload. Scanner hints about dynamic require/network/env are explained by benign local scanning, config, update, authenticated API, and crash-reporting code.
Evidence
package.jsondist/bin.jsdist/index.jsdist/api.jsdist/config.jsdist/error-report.jsdist/update-notifier.jsdist/review/deep.jsdist/scanner/index.jsdist/scanner/walk.jsdist/scanner/repo-checks.js~/.periderm/config.json.periderm/last-report.md.periderm/last-report.json.periderm/ai-instructions.md.periderm/.gitignore
Network endpoints3
periderm-cli.vercel.appregistry.npmjs.org/${name}/latestformspree.io/f/mqakppnn
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall hooks; executable is user-invoked bin ./dist/bin.js.
- dist/bin.js only starts update check and imports ./index.js; no arbitrary dynamic require or shell execution.
- dist/scanner/walk.js and dist/scanner/index.js read JS/TS project files for static scan findings, excluding node_modules/dist/build/.git paths.
- dist/index.js writes reports only under the selected project's .periderm directory after periderm scan/review.
- dist/api.js network calls are product-aligned token verification, scan upload, policies, and deep review APIs.
- rg found no child_process, eval, Function, rm, unlink, or binary/native loading in package dist files.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/scanner/repo-checks.jsView file
321why: "Without code-splitting, a visitor to your landing page also downloads the admin dashboard, the settings screens, and every modal. First paint gets slower with every feature y...
L322: fix: "Wrap heavy or rarely-used routes in React.lazy(() => import('./Route')) + <Suspense>, or use your router's built-in lazy() API. Split third-party charts, editors and 3D scene...
L323: aiPrompt: `This project has ${routeFiles.length} route files but no dynamic import()/React.lazy usage. Identify the largest / least-visited routes (admin, settings, editors, charts...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/scanner/repo-checks.jsView on unpkg · L321dist/scanner/checks.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = periderm-cli@0.1.31
matchedIdentity = npm:cGVyaWRlcm0tY2xp:0.1.31
similarity = 0.762
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/scanner/checks.jsView on unpkgFindings
1 Critical3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/scanner/checks.js
MediumDynamic Requiredist/scanner/repo-checks.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings