AI Security Review
scanned 17h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package uses a postinstall binary downloader for a terminal app, with runtime execution only through the tmax CLI.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user runs tmax CLI
Impact
Downloads and launches the tmax application binary, but no source evidence of exfiltration or unauthorized mutation was found.
Mechanism
package-aligned binary download and launcher
Rationale
The suspicious primitives are consistent with the stated package purpose: install.js fetches a platform-specific release artifact and cli.js launches it on user invocation. Static inspection found no concrete malicious behavior, credential access, agent-control hijack, or unrelated persistence.
Evidence
package.jsoninstall.jscli.jsREADME.mdapp/_tmp_tmax.zip
Network endpoints1
github.com/InbarR/tmax/releases/download/v1.11.3/tmax-<platform>-<arch>-portable.zip
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node install.js
- install.js downloads platform zip from GitHub releases and extracts it into ./app
- cli.js spawns the installed tmax executable detached when user runs tmax
Evidence against
- Only four package files present: package.json, install.js, cli.js, README.md
- README.md describes the postinstall binary download behavior
- No credential/env harvesting, AI-agent control-surface writes, persistence, or destructive code found
- Network use is limited to package-aligned GitHub release download
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings