AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time code fetches a platform-specific executable and saves it under `vendor/`. The CLI later launches that uninspected executable with user-supplied arguments.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers `postinstall`; invoking `termcord` executes the downloaded binary.
Impact
A compromised or substituted release asset can execute arbitrary code on the installing machine.
Mechanism
remote native-binary download and execution
Rationale
The inspected source establishes an unverified install-time remote binary delivery chain, not confirmed malicious behavior. Flag as a staged payload carrier pending binary/integrity review.
Evidence
package.jsoninstall.jsbin/termcord.jsvendor/termcordvendor/termcord.exe
Network endpoints1
github.com/PrathamGhaywat/termcord/releases/download/v1.0.0/
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` runs `node install.js` on `postinstall`.
- `install.js` downloads a platform binary during installation.
- Downloaded executable has no checksum or signature verification.
- `bin/termcord.js` executes the downloaded `vendor/termcord` binary.
Evidence against
- No credential, environment, or file harvesting in inspected JavaScript.
- No source evidence of exfiltration, destructive actions, or AI-agent config writes.
- CLI forwarding is explicit-user invoked after installation.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings