AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime behavior is UI components reading JUCE backend resources and rendering visualizations; the only external endpoint observed is a d3 CDN import inside worker code.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package and rendering affected React/JUCE UI visualization components.
Impact
No credential theft, persistence, destructive behavior, or unauthorized control-surface mutation identified.
Mechanism
React UI components, JUCE backend event/resource reads, and d3-based web workers
Rationale
Static source inspection found suspicious-looking base64 worker wrappers and network primitives, but they are package-aligned visualization code and JUCE-local resource reads. There are no lifecycle hooks or concrete malicious behaviors.
Evidence
package.jsonREADME.mddist/index.js
Network endpoints1
d3js.org/d3.v7.min.js
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js embeds base64 web-worker bodies that call importScripts('https://d3js.org/d3.v7.min.js').
- dist/index.js uses fetch(Juce.getBackendResourceAddress(...)) for JUCE backend JSON resources.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and only build/start scripts.
- package.json main/export is dist/index.js, a React UI component bundle for Antimatter Audio/JUCE.
- dist/index.js sensitive-sink search found no process.env, credential harvesting, filesystem writes, child_process, eval, cookies, localStorage, sendBeacon, XHR, or WebSocket.
- fetch calls are tied to JUCE backend resource addresses and visualization event data, not arbitrary exfiltration endpoints.
- Base64 worker payloads decode to visualization workers using d3/canvas/postMessage, not staged malware.
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
546shapeRendering: "crispEdges",
L547: xmlns: "http://www.w3.org/2000/svg",
L548: children: jsx("polygon", {
...
L3403: if (eventId) {
L3404: fetch(Juce.getBackendResourceAddress(`${eventId}.json`)).then((response)=>response.text()).then((text)=>{
L3405: const data = JSON.parse(text);
...
L4708: fillGradient: fillGradient,
L4709: data: data,
L4710: xScale: xScale,
High
Base64 Obscured Url
Source decodes a Base64-obscured HTTP endpoint at runtime.
dist/index.jsView on unpkg · L546Findings
1 High1 Medium3 Low
HighBase64 Obscured Urldist/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings