AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The notable risk is runtime loading of D3 from d3js.org inside visualization web workers, which is package-aligned but supply-chain-sensitive.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports package and renders worker-backed visualization components such as Oscilloscope, LFOVisualizer, or VUMeter.
Impact
Remote D3 CDN dependency executes in workers for selected components; no evidence of data theft or host compromise.
Mechanism
React/JUCE UI components with worker-based canvas visualization and local JUCE backend fetches
Rationale
The scanner's base64/worker and network findings are explained by bundled visualization workers that import D3 and render audio UI data. Source inspection found no install-time execution, harvesting, exfiltration, persistence, or destructive behavior.
Evidence
package.jsonREADME.mddist/index.js
Network endpoints1
d3js.org/d3.v7.min.js
Decision evidence
public snapshotAI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/index.js embeds worker code as base64 and creates workers with Blob URLs or worker_threads eval.
- Decoded worker payloads call importScripts('https://d3js.org/d3.v7.min.js'), loading D3 at component runtime.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entries.
- dist/index.js fetch calls use Juce.getBackendResourceAddress for local JUCE resources, not arbitrary exfiltration endpoints.
- No credential/env harvesting, cookie/localStorage reads, filesystem access, child_process, destructive actions, or persistence found.
- Native calls are JUCE UI/plugin functions such as getSliderState, getNativeFunction('savePreset'), undo/redo, and event listeners.
- README and manifest describe a React/JUCE audio plugin UI component library, matching observed code.
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
552shapeRendering: "crispEdges",
L553: xmlns: "http://www.w3.org/2000/svg",
L554: children: jsx("polygon", {
...
L3427: if (eventId) {
L3428: fetch(Juce.getBackendResourceAddress(`${eventId}.json`)).then((response)=>response.text()).then((text)=>{
L3429: const data = JSON.parse(text);
...
L4733: fillGradient: fillGradient,
L4734: data: data,
L4735: xScale: xScale,
High
Base64 Obscured Url
Source decodes a Base64-obscured HTTP endpoint at runtime.
dist/index.jsView on unpkg · L552Findings
1 High1 Medium3 Low
HighBase64 Obscured Urldist/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings