registry  /  termcord  /  1.0.2

termcord@1.0.2

Terminal command recorder for agentic and human workflows

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Installation retrieves an opaque platform binary from a remote release URL and stores it as an executable in the package. The CLI later runs that downloaded binary unchanged. No direct JavaScript attack behavior beyond this staged remote payload path was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
`npm install` downloads the binary; invoking `termcord` executes it.
Impact
A compromised or substituted release asset can run arbitrary code when the CLI is used.
Mechanism
unchecked postinstall remote binary download followed by CLI execution
Rationale
The package is an unchecked remote binary carrier with a postinstall downloader, so it warrants a warning. Source inspection does not prove concrete malicious intent or behavior sufficient for a block.
Evidence
package.jsoninstall.jsbin/termcord.jsREADME.mdvendor/termcordvendor/termcord.exe
Network endpoints1
github.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall: node install.js`.
  • `install.js` downloads a platform executable from `github.com` into `vendor/`.
  • Downloaded bytes are written directly and made executable with `chmodSync`; no hash/signature check exists.
  • `bin/termcord.js` executes the downloaded local binary with user arguments.
Evidence against
  • Inspected JavaScript has no credential/env harvesting or data exfiltration.
  • No agent-control configuration writes, persistence outside `vendor/`, or destructive file operations are present.
  • The binary is not executed during installation; execution requires a `termcord` CLI invocation.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.40 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = termcord@1.0.0 matchedIdentity = npm:dGVybWNvcmQ:1.0.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

install.jsView on unpkg

Findings

2 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltainstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings