AI Security Review
scanned 2h ago · by lpm-firewall-aiPostinstall retrieves a package-aligned platform binary and stores it under the package `bin/` directory. The binary is launched only when the user invokes `tacho`; no confirmed malicious behavior is present in inspected JavaScript.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install downloads and extracts the binary; explicit `tacho` invocation executes it.
Impact
Native binary provenance remains outside the inspected JavaScript, but no concrete hostile action is established.
Mechanism
versioned release-binary bootstrap with checksum verification
Rationale
The package uses a conventional postinstall binary downloader for its own CLI, with version-derived GitHub URLs and checksum validation. Static source inspection found no concrete malicious chain or unconsented control-surface mutation.
Evidence
package.jsoninstall.jsasset.jsbin/tacho.jsbin/tachobin/tacho.exe
Network endpoints1
github.com/kosako/tachograph/releases/download/
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- `package.json` runs `node install.js` on postinstall.
- `install.js` downloads a platform archive during installation.
- `install.js` extracts and writes a native executable to `bin/`.
Evidence against
- `asset.js` restricts downloads to versioned GitHub release assets.
- `install.js` verifies SHA-256 against the release checksum file before extraction.
- Downloaded binary is not run by postinstall; `bin/tacho.js` runs it only on explicit CLI use.
- No credential harvesting, broad file reads, exfiltration, eval, or AI-agent config writes found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings