registry  /  rustcodegraph  /  1.2.5

rustcodegraph@1.2.5

Local-first code intelligence graph and CLI for AI agents

AI Security Review

scanned 8h ago · by lpm-firewall-ai

Postinstall downloads and extracts a platform-native archive from the package's GitHub release location. The archive is staged locally and runs only when the user invokes the package CLI.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation; later `rustcodegraph` CLI invocation
Impact
A compromised release artifact could execute with the CLI user's privileges.
Mechanism
unverified remote native-binary bootstrap
Rationale
This is an unresolved staged-payload supply-chain risk due to install-time download of an opaque native archive without integrity verification. Source inspection does not establish concrete malicious behavior, so warn rather than block.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-rustcodegraph.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/hunzhiwange/rustcodegraph/releases/download/v1.2.5

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` invokes `install.js` on `postinstall`.
  • `binary-install.js` downloads a native release archive at install time.
  • The downloaded archive has no checksum or signature verification.
  • `run-rustcodegraph.js` later spawns the extracted native binary.
Evidence against
  • The URL is fixed from package metadata to the project GitHub release path.
  • Writes are limited to package-local `node_modules/.bin_real`.
  • No JavaScript credential harvesting, exfiltration, eval, or agent-config writes found.
  • The downloaded binary is not run automatically during postinstall.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 9.90 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings