No confirmed malicious attack surface is established by source inspection. The package is a MathTS core library with generated dist exports and no install-time behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
importing library modules or explicitly running package scripts
Impact
No credential access, persistence, exfiltration, or unconsented control-surface mutation found.
Mechanism
math/type utility exports with optional typed-function WASM initialization
Rationale
The scanner's git dependency finding is package-aligned metadata, and direct inspection found no lifecycle execution or malicious runtime primitives. Optional WASM initialization delegates to the declared typed-function dependency and does not create a concrete attack surface in this package.
Evidence
package.jsondist/index.jsdist/internal.jsdist/chunk-JB4VPWK4.jsREADME.md
Network endpoints2
github.com/danielsimonjr/mathtsgithub:danielsimonjr/typed-function