registry  /  tmax-terminal  /  1.11.4

tmax-terminal@1.11.4

Powerful multi-terminal app with tiling, floating panels, and keyboard-driven workflow

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package performs install-time retrieval and extraction of a native application binary from GitHub releases. This is package-aligned but leaves an unverified remote binary payload outside the inspected npm tarball as the main risk.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; later user runs tmax
Impact
Installs and launches a platform-specific native terminal application from app/.
Mechanism
install-time remote binary download and local launcher
Rationale
The source shows a real install-time remote binary download and extraction path, so a warning is appropriate because the executable payload is not present for source inspection. The behavior is disclosed and package-aligned, with no concrete malicious logic in the inspected JS files.
Evidence
package.jsoninstall.jscli.jsREADME.md_tmp_tmax.zipapp/app/*/tmaxapp/*/tmax.exeapp/*/tmax.app
Network endpoints1
github.com/InbarR/tmax/releases/download/v1.11.4/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node install.js
  • install.js downloads a platform zip from https://github.com/InbarR/tmax/releases/download/v1.11.4/... during install
  • install.js writes _tmp_tmax.zip, extracts it into app/, and chmods the extracted tmax binary
  • cli.js later launches the extracted app/tmax binary with child_process.spawn
Evidence against
  • Download URL is package-aligned with the manifest repository/homepage and README describes this binary download behavior
  • No credential/env harvesting, destructive logic, persistence, or AI-agent control-surface writes found
  • Network use is limited to GitHub release asset download with redirects
  • No eval/vm/Function or dynamic remote code execution in JS source
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 5.42 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings