registry  /  voinznext  /  0.1.1

voinznext@0.1.1

Interactive CLI tool for scaffolding Next.js projects with your preferred tech stack

AI Security Review

scanned 4h ago · by lpm-firewall-ai

The package is a lifecycle-triggered remote binary downloader. It pulls the latest GitHub release asset at install time and stores it as an executable for later CLI invocation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes voinznext CLI
Impact
Remote release contents can change independently of the npm version and become the executed CLI payload without checksum validation.
Mechanism
unpinned install-time binary download
Attack narrative
On install, install.js creates a bin directory, queries GitHub for the latest release tag, downloads a platform-specific binary asset, writes it as bin/voinznext.exe, and marks it executable on non-Windows. The CLI wrapper then spawns a local binary path when the user runs voinznext. The source does not show exfiltration or install-time execution of the binary, but the unpinned remote executable is a staged payload risk.
Rationale
Static source inspection confirms an install-time, unpinned remote executable download with no checksum verification, which is risky but not enough by itself to prove malicious behavior. No concrete data theft, persistence, destructive action, or agent hijack behavior was present in the reviewed package source.
Evidence
package.jsoninstall.jscli.jsbin/voinznext.exe
Network endpoints2
api.github.com/repos/VoinzzZ/VoinzNext/releases/latestgithub.com/VoinzzZ/VoinzNext/releases/download/${version}/${binaryName}

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node install.js
  • install.js fetches latest release metadata from api.github.com during install
  • install.js downloads a platform binary from github.com releases without pinning or checksum verification
  • install.js writes the downloaded executable under bin/voinznext.exe and chmods it executable on non-Windows
  • cli.js later spawns the downloaded local binary with inherited stdio
Evidence against
  • No credential/env harvesting found in package source
  • No persistence, destructive behavior, eval/vm/Function, or AI-agent control-surface writes found
  • Network endpoints are package GitHub release endpoints, not obvious exfiltration endpoints
  • Downloaded binary is not executed by postinstall in reviewed source
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.43 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings