registry  /  pire-browser  /  0.2.5

pire-browser@0.2.5

Cross-platform Pi extension and Firefox bridge for local browser automation

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface in inspected source. The package has high-privilege browser automation and install-time setup behavior, but it is consistent with its stated Firefox/Pi bridge purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall setup or explicit pire-browser CLI/browser automation commands
Impact
No credential harvesting, exfiltration, persistence, destructive action, or unconsented AI-agent control hijack confirmed by source inspection.
Mechanism
package-aligned launcher, native bridge setup, Pi registration migration, and Firefox extension automation
Rationale
Static source inspection shows privileged install/runtime primitives, but they are coherent with a local Firefox automation bridge and no concrete malicious data flow or unconsented control-surface mutation was found. Scanner hints appear to be triggered by expected lifecycle setup, launcher spawning, update checks, and redaction/auth feature code.
Evidence
package.jsonscripts/pi-postinstall.mjsscripts/pi-install-migration.mjsscripts/platform.mjsbin/pire-browser.jspi/extensions/pire-browser.tspi/extensions/pire-browser-runner.tspi/extensions/redaction.tsextension/manifest.jsonextension/dist/background.js
Network endpoints2
github.com/ryenwang/pire-browsernpm registry via npm view pire-browser version

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall running scripts/pi-postinstall.mjs
  • scripts/pi-postinstall.mjs spawns bin/pire-browser.js setup during install
  • bin/pire-browser.js can spawn native optional binary and run npm/pi update commands when user invokes update/upgrade
  • extension/manifest.json requests broad Firefox automation permissions including <all_urls>, nativeMessaging, cookies, downloads
Evidence against
  • Postinstall verifies packaged files and disables launcher update check for setup; no hardcoded exfiltration endpoint found
  • Pi migration only removes known legacy pire-browser registrations after npm:pire-browser is present
  • Network references are package-aligned npm update checks or browser automation docs/features
  • Secret-pattern hits are redaction/auth selector logic, not embedded credentials
  • Child process use is launcher/native bridge/update workflow aligned with browser automation package
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 565 KB of source, external domains: example.com, github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/pi-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
extension/dist/background.jsView file
21patternName = generic_password severity = medium line = 21 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

extension/dist/background.jsView on unpkg · L21
bin/pire-browser.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pire-browser@0.2.4 matchedIdentity = npm:cGlyZS1icm93c2Vy:0.2.4 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/pire-browser.jsView on unpkg
1#!/usr/bin/env node L2: import { spawn, spawnSync } from "node:child_process"; L3: import {
High
Child Process

Package source references child process execution.

bin/pire-browser.jsView on unpkg · L1
scripts/pi-postinstall.mjsView file
2Cross-file remote execution chain: scripts/pi-postinstall.mjs spawns extension/dist/background.js; helper contains network access plus dynamic code execution. L2: import { dirname, join } from "node:path"; L3: import { spawnSync } from "node:child_process"; L4: import { fileURLToPath } from "node:url"; ... L8: L9: if (process.env.PIRE_BROWSER_SKIP_POSTINSTALL === "1") { L10: process.exit(0);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/pi-postinstall.mjsView on unpkg · L2

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/pire-browser.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/pire-browser.js
HighShell
HighCross File Remote Execution Contextscripts/pi-postinstall.mjs
MediumSecret Patternextension/dist/background.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings