AI Security Review
scanned 59m ago · by lpm-firewall-aiThe package is a native-binary npm wrapper with install-time download and extraction. This creates unresolved supply-chain risk from an unauthenticated release asset, but the reviewed JS source does not show concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user runs testify CLI afterward
Impact
Installs and later executes a platform-specific native binary from the package author's GitHub release assets
Mechanism
postinstall GitHub release archive download and native binary wrapper
Rationale
Source inspection supports a warning for install-time remote native binary installation without integrity verification, not a publish block. The behavior is disclosed and package-aligned, with no confirmed malicious code path in the reviewed source.
Evidence
package.jsoninstall.jsbin/testify.jsREADME.mdbin/bin/testify_darwin_amd64.tar.gzbin/testify_darwin_arm64.tar.gzbin/testify_linux_amd64.tar.gzbin/testify_linux_arm64.tar.gzbin/testify_windows_amd64.zipbin/testify_windows_arm64.zipbin/testifybin/testify.exe
Network endpoints1
github.com/nityam123-pixle/testify-cli/releases/download/v${version}/${assetName}
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node install.js
- install.js downloads a platform archive from GitHub Releases during install
- install.js extracts the downloaded archive into bin/ and chmods bin/testify without checksum verification
- bin/testify.js later spawnSyncs the installed native binary with user args
Evidence against
- README.md discloses the automatic GitHub Releases binary download behavior
- Network host is package-aligned with homepage/main repo, not an unrelated endpoint
- No credential/env harvesting, broad filesystem scanning, persistence, or AI-agent config mutation found in JS source
- No install-time execution of the downloaded binary found; install uses tar or PowerShell extraction only
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings