registry  /  @bobbykim/manguito-cms-admin  /  0.3.0

@bobbykim/manguito-cms-admin@0.3.0

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Vue CMS admin UI whose browser requests target the configured same-origin admin API; media uploads are activated by user file selection.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User opens the admin UI, authenticates, or chooses a media file to upload.
Impact
Normal administrative API access and file upload; no source evidence of exfiltration, remote payload execution, persistence, or destructive behavior.
Mechanism
CMS API client and user-initiated media upload flow.
Rationale
Direct inspection found a conventional bundled Vue CMS admin package, not malicious behavior. Scanner signals resolve to normal font assets and a U+200D character used by bundled linkification logic rather than Trojan Source controls.
Evidence
package.jsondist/index.jssrc/composables/useApiClient.tssrc/views/media/MediaLibraryView.vuesrc/components/fields/MediaUpload.vuesrc/components/fields/ComputedDisplay.vuedist/assets/ComputedDisplay-C2FpwSB1.jsvite.config.tssrc/App.vuesrc/views/LoginView.vuesrc/main.ts

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no lifecycle hooks and exports `dist/index.js`.
    • `dist/index.js` only returns an admin prefix adapter.
    • `src/composables/useApiClient.ts` uses same-origin `/admin/api` requests with session cookies.
    • `src/views/media/MediaLibraryView.vue` uploads only a user-selected file via CMS or backend-provided presigned URL.
    • `ComputedDisplay-C2FpwSB1.js` contains U+200D in bundled linkification data, not a bidi override.
    • High-entropy findings are bundled `.woff/.woff2` web fonts.
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    Manifest
    WildcardDependency
    scanned 46 file(s), 623 KB of source, external domains: example.com, prosemirror.net, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/assets/ComputedDisplay-C2FpwSB1.jsView file
    94contains invisible/control Unicode U+200D (zero width joiner) `,x_=`️`,S_=`<U+200D>`,C_=``,w_=null,T_=null;function E_(e=[]){let t={};ug.groups=t;let n=new ug;w_??=A_(Yh),T_??=A_(Xh),Q(n,`'`,Vg),Q(n,`{`,wg),Q(n,`}`,Tg),Q(n,`[`,Eg),Q(n,`]`,Dg),Q(n,`(`,Og),Q(n,`)`,kg),Q(n,`<`,Ag),Q(n,`>`,jg),Q(n,`(`,Mg
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/assets/ComputedDisplay-C2FpwSB1.jsView on unpkg · L94
    dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2View file
    path = dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2 kind = high_entropy_blob sizeBytes = 4284 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    dist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2View on unpkg

    Findings

    1 Critical1 High3 Medium4 Low
    CriticalTrojan Source Unicodedist/assets/ComputedDisplay-C2FpwSB1.js
    HighShips High Entropy Blobdist/assets/plus-jakarta-sans-vietnamese-500-normal-DiU8zqi-.woff2
    MediumNetwork
    MediumStructural Risk Force Deep Review
    MediumWildcard Dependency
    LowScripts Present
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings