AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a web app/CLI for Cytario imaging data browsing with build-time code generation and bundled WASM/data-processing assets.
Decision evidence
public snapshot- package.json has a prepare hook, but it is only `husky || true`.
- vite-plugins/cytario-plugins.ts can write app/plugins.generated.ts during build based on CYTARIO_PLUGINS.
- scripts/download-duckdb-extensions.mjs can fetch DuckDB extension WASM from extensions.duckdb.org when explicitly run.
- bin/cytario-web.mjs spawns only local `npx --no-install` prisma/react-router or server.js for user-invoked CLI commands.
- No postinstall/preinstall install-time code or AI-agent control-surface writes found.
- CYTARIO_PLUGINS entries are npm-name validated and JSON-stringified before static import generation.
- Credential-bearing S3 fetch code blocks redirects and targets configured S3 endpoints, not an exfiltration host.
- Bundled zstd/duckdb worker assets appear to be large library/WASM loader artifacts aligned with imaging/data functionality.
Source & flagged code
9 flagged · loading sourcePackage contains a critical-looking secret pattern.
build/client/assets/zstd-BbiHKNjt.jsView on unpkg · L15AWS access key ID in build/client/assets/zstd-BbiHKNjt.js
build/client/assets/zstd-BbiHKNjt.jsView on unpkg · L15Package source references child process execution.
bin/cytario-web.mjsView on unpkg · L9Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
build/client/assets/duckdb-browser-eh.worker-hQa-dcAV.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
build/client/assets/duckdb-browser-eh.worker-hQa-dcAV.jsView on unpkg · L1Package source references dynamic require/import behavior.
server.jsView on unpkg · L9Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
build/client/assets/duckdb-browser-mvp.worker-C9hF7LGh.jsView on unpkg · L1Package ships WebAssembly modules.
public/duckdb-extensions/v1.4.3/wasm_threads/spatial.duckdb_extension.wasmView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
build/client/assets/ViewerStoreContext-BP6srx31.jsView on unpkg