AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Vue CMS admin UI whose browser requests target the configured same-origin admin API; media uploads are activated by user file selection.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User opens the admin UI, authenticates, or chooses a media file to upload.
Impact
Normal administrative API access and file upload; no source evidence of exfiltration, remote payload execution, persistence, or destructive behavior.
Mechanism
CMS API client and user-initiated media upload flow.
Rationale
Direct inspection found a conventional bundled Vue CMS admin package, not malicious behavior. Scanner signals resolve to normal font assets and a U+200D character used by bundled linkification logic rather than Trojan Source controls.
Evidence
package.jsondist/index.jssrc/composables/useApiClient.tssrc/views/media/MediaLibraryView.vuesrc/components/fields/MediaUpload.vuesrc/components/fields/ComputedDisplay.vuedist/assets/ComputedDisplay-C2FpwSB1.jsvite.config.tssrc/App.vuesrc/views/LoginView.vuesrc/main.ts
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no lifecycle hooks and exports `dist/index.js`.
- `dist/index.js` only returns an admin prefix adapter.
- `src/composables/useApiClient.ts` uses same-origin `/admin/api` requests with session cookies.
- `src/views/media/MediaLibraryView.vue` uploads only a user-selected file via CMS or backend-provided presigned URL.
- `ComputedDisplay-C2FpwSB1.js` contains U+200D in bundled linkification data, not a bidi override.
- High-entropy findings are bundled `.woff/.woff2` web fonts.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedObfuscatedUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/assets/ComputedDisplay-C2FpwSB1.jsView file
94contains invisible/control Unicode U+200D (zero width joiner)
`,x_=`️`,S_=`<U+200D>`,C_=``,w_=null,T_=null;function E_(e=[]){let t={};ug.groups=t;let n=new ug;w_??=A_(Yh),T_??=A_(Xh),Q(n,`'`,Vg),Q(n,`{`,wg),Q(n,`}`,Tg),Q(n,`[`,Eg),Q(n,`]`,Dg),Q(n,`(`,Og),Q(n,`)`,kg),Q(n,`<`,Ag),Q(n,`>`,jg),Q(n,`(`,Mg
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/assets/ComputedDisplay-C2FpwSB1.jsView on unpkg · L94dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2View file
•path = dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2
kind = high_entropy_blob
sizeBytes = 4284
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2View on unpkgFindings
1 Critical1 High3 Medium4 Low
CriticalTrojan Source Unicodedist/assets/ComputedDisplay-C2FpwSB1.js
HighShips High Entropy Blobdist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings