registry  /  @bobbykim/manguito-cms-admin  /  0.2.0

@bobbykim/manguito-cms-admin@0.2.0

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network use is limited to the configured same-origin CMS API and a user-initiated storage upload URL returned by that API.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Admin UI runtime actions, including login, CMS requests, and user-selected media upload.
Impact
No package-originated exfiltration, persistence, install-time execution, or destructive action established.
Mechanism
Browser-based CMS administration client using relative API requests.
Rationale
Source inspection shows a Vue CMS admin package with no lifecycle execution or concrete malicious behavior. Scanner findings are explained by bundled font/minified frontend assets and legitimate CMS API/media-upload functionality.
Evidence
package.jsondist/index.jssrc/composables/useApiClient.tssrc/components/fields/MediaUpload.vuedist/assets/EnumSelect-BOrBkA76.jssrc/stores/auth.tssrc/App.vuesrc/views/media/MediaLibraryView.vuedist/codegen/index.js

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks.
    • dist/index.js only exports createAdminAdapter.
    • src/composables/useApiClient.ts uses same-origin admin API paths with cookies.
    • src/components/fields/MediaUpload.vue uploads only user-selected files to server-provided presigned URLs.
    • No child-process, filesystem, eval, or credential-harvesting primitives found in source.
    • Flagged .woff2 is a font asset; flagged bundle is ordinary minified Vue admin UI.
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    Manifest
    WildcardDependency
    scanned 46 file(s), 622 KB of source, external domains: example.com, prosemirror.net, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/assets/EnumSelect-BOrBkA76.jsView file
    94contains invisible/control Unicode U+200D (zero width joiner) `,x_=`️`,S_=`<U+200D>`,C_=``,w_=null,T_=null;function E_(e=[]){let t={};ug.groups=t;let n=new ug;w_??=A_(Yh),T_??=A_(Xh),Q(n,`'`,Vg),Q(n,`{`,wg),Q(n,`}`,Tg),Q(n,`[`,Eg),Q(n,`]`,Dg),Q(n,`(`,Og),Q(n,`)`,kg),Q(n,`<`,Ag),Q(n,`>`,jg),Q(n,`(`,Mg
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/assets/EnumSelect-BOrBkA76.jsView on unpkg · L94
    dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2View file
    path = dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2 kind = high_entropy_blob sizeBytes = 4284 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2View on unpkg

    Findings

    1 Critical1 High3 Medium4 Low
    CriticalTrojan Source Unicodedist/assets/EnumSelect-BOrBkA76.js
    HighShips High Entropy Blobdist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2
    MediumNetwork
    MediumStructural Risk Force Deep Review
    MediumWildcard Dependency
    LowScripts Present
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings