AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network use is limited to the configured same-origin CMS API and a user-initiated storage upload URL returned by that API.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Admin UI runtime actions, including login, CMS requests, and user-selected media upload.
Impact
No package-originated exfiltration, persistence, install-time execution, or destructive action established.
Mechanism
Browser-based CMS administration client using relative API requests.
Rationale
Source inspection shows a Vue CMS admin package with no lifecycle execution or concrete malicious behavior. Scanner findings are explained by bundled font/minified frontend assets and legitimate CMS API/media-upload functionality.
Evidence
package.jsondist/index.jssrc/composables/useApiClient.tssrc/components/fields/MediaUpload.vuedist/assets/EnumSelect-BOrBkA76.jssrc/stores/auth.tssrc/App.vuesrc/views/media/MediaLibraryView.vuedist/codegen/index.js
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks.
- dist/index.js only exports createAdminAdapter.
- src/composables/useApiClient.ts uses same-origin admin API paths with cookies.
- src/components/fields/MediaUpload.vue uploads only user-selected files to server-provided presigned URLs.
- No child-process, filesystem, eval, or credential-harvesting primitives found in source.
- Flagged .woff2 is a font asset; flagged bundle is ordinary minified Vue admin UI.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedObfuscatedUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/assets/EnumSelect-BOrBkA76.jsView file
94contains invisible/control Unicode U+200D (zero width joiner)
`,x_=`️`,S_=`<U+200D>`,C_=``,w_=null,T_=null;function E_(e=[]){let t={};ug.groups=t;let n=new ug;w_??=A_(Yh),T_??=A_(Xh),Q(n,`'`,Vg),Q(n,`{`,wg),Q(n,`}`,Tg),Q(n,`[`,Eg),Q(n,`]`,Dg),Q(n,`(`,Og),Q(n,`)`,kg),Q(n,`<`,Ag),Q(n,`>`,jg),Q(n,`(`,Mg
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/assets/EnumSelect-BOrBkA76.jsView on unpkg · L94dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2View file
•path = dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2
kind = high_entropy_blob
sizeBytes = 4284
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2View on unpkgFindings
1 Critical1 High3 Medium4 Low
CriticalTrojan Source Unicodedist/assets/EnumSelect-BOrBkA76.js
HighShips High Entropy Blobdist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings