AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package has install-time setup and can modify Pi package registration state, but the mutations are scoped to replacing known legacy pire-browser sources with npm:pire-browser and are package-aligned.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/pi-postinstall.mjs.
- scripts/pi-postinstall.mjs spawns bin/pire-browser.js setup at install time.
- scripts/pi-install-migration.mjs can edit Pi settings and quarantine legacy pire-browser installs when run in Pi-managed path.
- Postinstall validates packaged launcher/extension files and runs setup with update checks disabled; no download/exfil path seen.
- bin/pire-browser.js is a browser automation launcher that resolves platform optional native packages and proxies user commands.
- Update logic invokes npm view/install for pire-browser itself, gated by install kind/config/offline checks, not hidden arbitrary payload retrieval.
- Extension network, credentials, cookies, proxy, eval-like page execution, and auth vault features are documented browser automation capabilities, user-invoked and redacted.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a possible secret pattern.
extension/dist/background.jsView on unpkg · L21This package version adds a dangerous source file absent from the previous stored version.
bin/pire-browser.jsView on unpkgPackage source references child process execution.
bin/pire-browser.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
scripts/pi-postinstall.mjsView on unpkg · L2