AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Runtime code can create visualization workers and fetch JUCE-local JSON resources; embedded workers load D3 from its public CDN.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports/renders affected React visualization components at runtime.
Impact
Package-aligned UI behavior; no confirmed credential theft, exfiltration, persistence, or install-time execution.
Mechanism
React UI components with JUCE backend integration and Base64-bundled visualization workers
Rationale
Static inspection found a UI library with package-aligned JUCE backend calls and visualization workers; the Base64 worker/CDN D3 signal is explainable by bundled chart workers, not a payload or exfiltration path. With no lifecycle hooks, harvesting, shelling out, persistence, or malicious endpoint, this should be marked clean.
Evidence
package.jsonREADME.mddist/index.jsdist/index.js.map
Network endpoints1
d3js.org/d3.v7.min.js
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js contains Base64-embedded web workers that call importScripts('https://d3js.org/d3.v7.min.js').
- dist/index.js uses Worker(...,{eval:true}) in Node-style worker_threads path for those embedded worker bodies.
- dist/index.js fetches JUCE backend resource JSON for UI event data via Juce.getBackendResourceAddress(...).
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and main is dist/index.js.
- dist/index.js exports React/JUCE UI components; suspicious primitives are used for charts, meters, LFO visualization, and backend UI state.
- No credential/env/cookie/localStorage harvesting, shell execution, persistence, destructive behavior, or external exfiltration code found.
- Network use is limited to d3js.org worker library loading and JUCE backend resource fetches; no attacker-controlled collection endpoint found.
- README.md describes a JUCE React UI component library matching the inspected implementation.
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
521shapeRendering: "crispEdges",
L522: xmlns: "http://www.w3.org/2000/svg",
L523: children: jsx("polygon", {
...
L3396: if (eventId) {
L3397: fetch(Juce.getBackendResourceAddress(`${eventId}.json`)).then((response)=>response.text()).then((text)=>{
L3398: const data = JSON.parse(text);
...
L4702: fillGradient: fillGradient,
L4703: data: data,
L4704: xScale: xScale,
High
Base64 Obscured Url
Source decodes a Base64-obscured HTTP endpoint at runtime.
dist/index.jsView on unpkg · L521Findings
1 High1 Medium3 Low
HighBase64 Obscured Urldist/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings