AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is a thin launcher that fetches and executes a prebuilt recodex binary from the package author's GitHub release when the CLI is run. The risk is unresolved binary provenance, not confirmed malicious source behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the recodex CLI bin.
Impact
Executes remote native code with the user's environment and CLI arguments if the downloaded asset is malicious or replaced.
Mechanism
runtime download, cache, chmod, and spawn of release binary
Attack narrative
On first CLI use, bin/recodex.js selects a Linux x64 GitHub release tarball, downloads it, pipes it to tar for extraction into ~/.recodex/bin, renames the extracted recodex file to recodex-0.1.0, marks it executable, and spawns it with inherited stdio and the caller's environment. This creates a real native-code execution risk because the binary is outside the npm package and has no source-visible integrity check, but activation is explicit CLI use and the endpoint matches the package repository.
Rationale
Static source inspection found a user-invoked binary bootstrapper with no install hook or exfiltration behavior, but the package executes an unsigned remote native binary from GitHub releases. That warrants warning rather than publish blocking absent lifecycle abuse or concrete malicious payload evidence in the npm source.
Evidence
package.jsonbin/recodex.js~/.recodex/bin/recodex-0.1.0
Network endpoints1
github.com/Kartvya69/recodex/releases/download/v0.1.0/recodex-x86_64-unknown-linux-gnu.tar.gz
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- bin/recodex.js downloads a platform tarball from GitHub releases on first CLI run.
- bin/recodex.js extracts with system tar, renames the extracted recodex binary into ~/.recodex/bin, chmods it executable, then spawns it.
- Downloaded binary is not pinned by checksum/signature in package source.
Evidence against
- package.json has no npm lifecycle scripts, so download/exec is user-invoked via the recodex bin, not install-time.
- Only package files are package.json and bin/recodex.js; no hidden payloads or agent config files present in the tarball source.
- Network endpoint is package-aligned with declared repository/homepage.
- No credential harvesting, exfiltration logic, persistence hooks, destructive code, or foreign AI-agent control-surface writes found in source.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcebin/recodex.jsView file
8L9: import { spawn } from "node:child_process";
L10: import {
High
55L56: const url = `https://github.com/${GITHUB}/releases/download/v${VERSION}/${asset}`;
L57: process.stderr.write(`recodex: downloading v${VERSION} (${key}) — one-time setup...\n`);
L58:
...
L68: const code = await new Promise((resolve) => {
L69: const t = spawn("tar", ["-xz", "-C", dir, "recodex"], {
L70: stdio: ["pipe", "inherit", "inherit"],
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/recodex.jsView on unpkg · L55Findings
3 High2 Medium2 Low
HighChild Processbin/recodex.js
HighShell
HighCommand Output Exfiltrationbin/recodex.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowUrl Strings