AI Security Review
scanned 8h ago · by lpm-firewall-aiPostinstall downloads and extracts a platform-native archive from the package's GitHub release location. The archive is staged locally and runs only when the user invokes the package CLI.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation; later `rustcodegraph` CLI invocation
Impact
A compromised release artifact could execute with the CLI user's privileges.
Mechanism
unverified remote native-binary bootstrap
Rationale
This is an unresolved staged-payload supply-chain risk due to install-time download of an opaque native archive without integrity verification. Source inspection does not establish concrete malicious behavior, so warn rather than block.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-rustcodegraph.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/hunzhiwange/rustcodegraph/releases/download/v1.2.5
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` invokes `install.js` on `postinstall`.
- `binary-install.js` downloads a native release archive at install time.
- The downloaded archive has no checksum or signature verification.
- `run-rustcodegraph.js` later spawns the extracted native binary.
Evidence against
- The URL is fixed from package metadata to the project GitHub release path.
- Writes are limited to package-local `node_modules/.bin_real`.
- No JavaScript credential harvesting, exfiltration, eval, or agent-config writes found.
- The downloaded binary is not run automatically during postinstall.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings