registry  /  pire-browser  /  0.2.6

pire-browser@0.2.6

Cross-platform Pi extension and Firefox bridge for local browser automation

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package has install-time setup and can modify Pi package registration state, but the mutations are scoped to replacing known legacy pire-browser sources with npm:pire-browser and are package-aligned.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall or user running pire-browser commands
Impact
Installs/configures local browser bridge and may remove legacy duplicate pire-browser Pi registrations; no credential harvesting or exfiltration found.
Mechanism
browser automation launcher with Pi migration/setup helpers
Rationale
Static inspection shows high-risk primitives, but they are tied to the package's stated Firefox/browser automation and Pi migration functions rather than covert lifecycle compromise. I found no unconsented credential collection, arbitrary remote code execution, persistence, destructive behavior, or exfiltration endpoint.
Evidence
package.jsonscripts/pi-postinstall.mjsscripts/pi-install-migration.mjsscripts/platform.mjsbin/pire-browser.jsextension/dist/background.jsextension/manifest.jsonPi settings.json when in Pi-managed install context.pi/settings.json via explicit pi repair commandlegacy .pi extensions/pire-browser.ts shim during repairlegacy .pi git/github.com/ryenwang/pire-browser directory during repair
Network endpoints2
github.com/ryenwang/pire-browsergit+https://github.com/ryenwang/pire-browser

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/pi-postinstall.mjs.
  • scripts/pi-postinstall.mjs spawns bin/pire-browser.js setup at install time.
  • scripts/pi-install-migration.mjs can edit Pi settings and quarantine legacy pire-browser installs when run in Pi-managed path.
Evidence against
  • Postinstall validates packaged launcher/extension files and runs setup with update checks disabled; no download/exfil path seen.
  • bin/pire-browser.js is a browser automation launcher that resolves platform optional native packages and proxies user commands.
  • Update logic invokes npm view/install for pire-browser itself, gated by install kind/config/offline checks, not hidden arbitrary payload retrieval.
  • Extension network, credentials, cookies, proxy, eval-like page execution, and auth vault features are documented browser automation capabilities, user-invoked and redacted.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 565 KB of source, external domains: example.com, github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/pi-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
extension/dist/background.jsView file
21patternName = generic_password severity = medium line = 21 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

extension/dist/background.jsView on unpkg · L21
bin/pire-browser.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pire-browser@0.2.5 matchedIdentity = npm:cGlyZS1icm93c2Vy:0.2.5 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/pire-browser.jsView on unpkg
1#!/usr/bin/env node L2: import { spawn, spawnSync } from "node:child_process"; L3: import {
High
Child Process

Package source references child process execution.

bin/pire-browser.jsView on unpkg · L1
scripts/pi-postinstall.mjsView file
2Cross-file remote execution chain: scripts/pi-postinstall.mjs spawns extension/dist/background.js; helper contains network access plus dynamic code execution. L2: import { dirname, join } from "node:path"; L3: import { spawnSync } from "node:child_process"; L4: import { fileURLToPath } from "node:url"; ... L8: L9: if (process.env.PIRE_BROWSER_SKIP_POSTINSTALL === "1") { L10: process.exit(0);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/pi-postinstall.mjsView on unpkg · L2

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/pire-browser.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/pire-browser.js
HighShell
HighCross File Remote Execution Contextscripts/pi-postinstall.mjs
MediumSecret Patternextension/dist/background.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings