AI Security Review
scanned 3h ago · by lpm-firewall-aiInstallation executes a verification script that sends telemetry to a package-controlled Sentry project. The script collects the installing machine's public IP through Cloudflare and uploads a deliberately generated exception after enabling default PII capture.
Decision evidence
public snapshot- package.json preinstall runs `npm install @sentry/node && node examples/verify.js`.
- examples/verify.js invokes init(), public-IP lookup, error capture, and flush during installation.
- src/index.js embeds a default Sentry ingest DSN and initializes reporting with sendDefaultPii: true.
- src/index.js fetches Cloudflare trace endpoints, assigns the resolved IP to Sentry user data, then sends a captured exception.
- No shell execution, filesystem harvesting, persistence, or AI-agent configuration mutation was found.
- The network/reporting code is explicit, but it is invoked automatically by the install lifecycle.
Source & flagged code
4 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
src/index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
src/index.jsView on unpkg