registry  /  @antimatter-audio/antimatter-ui  /  16.5.5

@antimatter-audio/antimatter-ui@16.5.5

React UI component library for Antimatter Audio.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The suspicious primitives are consistent with a React/JUCE audio UI library communicating with its host backend at runtime.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports/renders exported React components in a JUCE-enabled frontend.
Impact
Package-aligned UI/backend data exchange only; no credential theft, persistence, or exfiltration identified.
Mechanism
Host-backend UI event listeners and local resource fetches
Rationale
Static inspection shows a built React component library with JUCE backend calls and bundled worker helper code; the scanner's network/base64 signals do not resolve to external malicious endpoints. With no lifecycle execution, credential/file harvesting, shell execution, or persistence, this should be marked clean.
Evidence
package.jsondist/index.jsdist/hooks/useWebSockets.d.tsdist/src/hooks/useWebSockets.d.ts

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js contains fetch calls, but they target Juce.getBackendResourceAddress(...) for JUCE backend resources.
  • dist/index.js includes Buffer.from/atob base64 helpers and worker_threads require checks inside bundled worker-loader/runtime code.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; main/export is dist/index.js only.
  • package.json describes a React UI component library and depends on @antimatter-audio/juce-framework-frontend, matching JUCE bridge usage.
  • dist/index.js network access is event-driven component runtime fetching local JUCE backend JSON such as LFO cycles and visualization data.
  • No shell execution, process.env harvesting, credential reads, filesystem writes, persistence, or external exfiltration endpoints found in package source scan.
  • No decoded external URLs or AI/reviewer prompt-manipulation strings found during source inspection.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 360 KB of source, external domains: www.w3.org

Source & flagged code

1 flagged · loading source
dist/index.jsView file
545shapeRendering: "crispEdges", L546: xmlns: "http://www.w3.org/2000/svg", L547: children: jsx("polygon", { ... L3420: if (eventId) { L3421: fetch(Juce.getBackendResourceAddress(`${eventId}.json`)).then((response)=>response.text()).then((text)=>{ L3422: const data = JSON.parse(text); ... L4726: fillGradient: fillGradient, L4727: data: data, L4728: xScale: xScale,
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

dist/index.jsView on unpkg · L545

Findings

1 High1 Medium3 Low
HighBase64 Obscured Urldist/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings