registry  /  @cr-invested-ui-components/chart  /  99.9.1

@cr-invested-ui-components/chart@99.9.1

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installing the package causes npm to retrieve an uninspected remote tarball dependency. No package-owned runtime attack code or lifecycle hook is present.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation or dependency resolution
Impact
The external archive can supply code outside the inspected package source.
Mechanism
Remote tarball dependency installation
Rationale
Source inspection confirms no direct malicious behavior, but the remote tarball dependency remains an unresolved executable supply-chain payload. Flag as suspicious rather than block because the archive's behavior is not established from this package source.
Evidence
package.jsonindex.js
Network endpoints1
ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.2.tgz

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • `package.json` installs `ltidisafe` from an external tarball URL.
  • The package source is otherwise inert, making the remote dependency the only executable supply-chain surface.
Evidence against
  • `index.js` only exports an empty object.
  • `package.json` defines no preinstall, install, postinstall, or prepare hook.
  • No credential access, shell execution, persistence, or exfiltration exists in inspected package files.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 35 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Remote tarball dependency specs: ltidisafe@https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.2.tgz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg

Findings

1 Medium1 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present