AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a mini-program Markdown renderer with optional KaTeX and code-highlight plugins; suspicious scanner hits map to bundled renderer/parser data and metadata.
Decision evidence
public snapshot- index.js mutates Array/String .at polyfills at import time, but only local JS built-ins.
- plugins/CodeHighlight/index.js contains shell command names in bundled Bash syntax highlighter data, not executed code.
- katex-font-data.js embeds base64 KaTeX TTF font data; secret-looking strings are font bytes/license text.
- package.json has no preinstall/install/postinstall scripts and no bin entry.
- index.js/index.mjs export markdown parsing/rendering APIs based on marked and platform renderers.
- No child_process, fs file writes/reads, process.env harvesting, eval/new Function, or network request APIs found in runtime entrypoints.
- Network strings are README/package metadata, markdown URL parsing, or http-to-https image normalization, not outbound calls.
- plugins/Latex and plugins/CodeHighlight are bundled KaTeX/highlight.js style renderers invoked by user configuration.
Source & flagged code
20 flagged · loading sourcePackage contains a critical-looking secret pattern.
katex-font-data.jsView on unpkg · L5This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
index.jsView on unpkgAWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L5AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L7AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L11AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L14AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L16AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L17AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L20AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L23AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L24