AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The only external network endpoint found is a D3 runtime import inside chart/visualization Web Workers, consistent with UI rendering rather than exfiltration.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports/renders affected chart, oscilloscope, LFO, or VU meter components at runtime.
Impact
Loads D3 for visualization workers and reads local JUCE-provided UI data; no credential or filesystem impact observed.
Mechanism
React/JUCE UI rendering with Web Workers and JUCE backend resource fetches
Rationale
Static inspection shows suspicious bundled worker/base64 and network primitives, but they resolve to visualization workers loading D3 and JUCE-local UI data access. There is no install-time execution, exfiltration, persistence, destructive behavior, or reviewer/agent manipulation.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints1
d3js.org/d3.v7.min.js
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/index.js embeds base64 web-worker bundles that call importScripts('https://d3js.org/d3.v7.min.js').
- dist/index.js creates Web Workers from bundled base64 source and uses eval:true only for Node worker_threads fallback.
Evidence against
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
- package.json main/export is dist/index.js for a React/JUCE UI component library.
- dist/index.js fetch calls use Juce.getBackendResourceAddress(...) for runtime UI data such as LFO/graph JSON, not external exfiltration URLs.
- No fs reads/writes, process.env harvesting, credential strings, child_process, persistence, or AI-agent control-surface writes found by source inspection.
- README describes intended use as Antimatter Audio JUCE/React UI components.
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
521shapeRendering: "crispEdges",
L522: xmlns: "http://www.w3.org/2000/svg",
L523: children: jsx("polygon", {
...
L3396: if (eventId) {
L3397: fetch(Juce.getBackendResourceAddress(`${eventId}.json`)).then((response)=>response.text()).then((text)=>{
L3398: const data = JSON.parse(text);
...
L4701: fillGradient: fillGradient,
L4702: data: data,
L4703: xScale: xScale,
High
Base64 Obscured Url
Source decodes a Base64-obscured HTTP endpoint at runtime.
dist/index.jsView on unpkg · L521Findings
1 High1 Medium3 Low
HighBase64 Obscured Urldist/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings