registry  /  @antimatter-audio/antimatter-ui  /  16.5.3

@antimatter-audio/antimatter-ui@16.5.3

React UI component library for Antimatter Audio.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime behavior is UI components reading JUCE backend resources and rendering visualizations; the only external endpoint observed is a d3 CDN import inside worker code.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package and rendering affected React/JUCE UI visualization components.
Impact
No credential theft, persistence, destructive behavior, or unauthorized control-surface mutation identified.
Mechanism
React UI components, JUCE backend event/resource reads, and d3-based web workers
Rationale
Static source inspection found suspicious-looking base64 worker wrappers and network primitives, but they are package-aligned visualization code and JUCE-local resource reads. There are no lifecycle hooks or concrete malicious behaviors.
Evidence
package.jsonREADME.mddist/index.js
Network endpoints1
d3js.org/d3.v7.min.js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js embeds base64 web-worker bodies that call importScripts('https://d3js.org/d3.v7.min.js').
  • dist/index.js uses fetch(Juce.getBackendResourceAddress(...)) for JUCE backend JSON resources.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and only build/start scripts.
  • package.json main/export is dist/index.js, a React UI component bundle for Antimatter Audio/JUCE.
  • dist/index.js sensitive-sink search found no process.env, credential harvesting, filesystem writes, child_process, eval, cookies, localStorage, sendBeacon, XHR, or WebSocket.
  • fetch calls are tied to JUCE backend resource addresses and visualization event data, not arbitrary exfiltration endpoints.
  • Base64 worker payloads decode to visualization workers using d3/canvas/postMessage, not staged malware.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 358 KB of source, external domains: www.w3.org

Source & flagged code

1 flagged · loading source
dist/index.jsView file
546shapeRendering: "crispEdges", L547: xmlns: "http://www.w3.org/2000/svg", L548: children: jsx("polygon", { ... L3403: if (eventId) { L3404: fetch(Juce.getBackendResourceAddress(`${eventId}.json`)).then((response)=>response.text()).then((text)=>{ L3405: const data = JSON.parse(text); ... L4708: fillGradient: fillGradient, L4709: data: data, L4710: xScale: xScale,
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

dist/index.jsView on unpkg · L546

Findings

1 High1 Medium3 Low
HighBase64 Obscured Urldist/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings