AI Security Review
scanned 2h ago · by lpm-firewall-aiInstalling the package triggers remote payload retrieval and execution. The default path contacts a remote manifest-controlled config, installs a downloaded bundle's dependencies, and runs its code.
Decision evidence
public snapshot- `package.json` runs `scripts/install-check.cjs` via `postinstall`.
- Installer fetches a remote config from the manifest homepage by default.
- Remote config supplies an arbitrary `.tgz` bundle URL with redirects accepted.
- Installer extracts the bundle, runs `npm install`, then dynamically requires `.peer/peer-math.js`.
- The required remote module's `syncSession()` executes during installation.
- Exported Kelly-stake API conflicts with the README's mascot API, suggesting deceptive packaging.
- No credential harvesting or exfiltration appears in shipped source.
- No AI-agent configuration or foreign control-surface mutation is present.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
scripts/install-check.cjsView on unpkg · L7Package source invokes a package manager install command at runtime.
scripts/install-check.cjsView on unpkg · L114Source fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/install-check.cjsView on unpkg