registry  /  @evlop/commons  /  1.0.388

@evlop/commons@1.0.388

AI Security Review

scanned 4h ago · by lpm-firewall-ai

The package exposes runtime helpers that can fetch and execute remote or caller-supplied code. This is a dangerous library capability, but inspection did not find automatic install/import-time execution or covert exfiltration.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Consumer calls exported helpers such as loadPackage/loadJSONPModule, EDL render helpers, or evaluateCode with untrusted input.
Impact
Remote code execution in the consumer runtime if untrusted package names, URLs, or EDL/code strings are passed.
Mechanism
remote fetch plus eval/new Function/vm execution
Attack narrative
A consuming app can call loadPackage with a package name/version or external URL, causing the library to fetch JavaScript text and eval it as a JSONP-style module. EDL and evaluateCode paths also compile caller-provided code. These are reachable exported capabilities and could become RCE if fed untrusted input, but there is no lifecycle hook, import-time trigger, secret theft, persistence, or hidden endpoint that makes this package itself malicious.
Rationale
Static inspection confirms high-risk dynamic code execution primitives, especially exported remote fetch plus eval, but they are user-invoked framework/plugin capabilities rather than unconsented automatic attack behavior. Treat as warn-worthy dangerous capability, not publish-block malware.
Evidence
package.jsondist/cjs/main.jsdist/cjs/src/helpers/functions.jsdist/cjs/src/edl/index.jsdist/cjs/src/adapters/evaluateCode/index.jsdist/cjs/bin/generate-google-fonts-cache.jsdist/cjs/bin/generate-google-fonts-cache.js writes ./src/constants/googleFonts/variants.jsondist/cjs/bin/generate-google-fonts-cache.js writes ./src/constants/googleFonts/variants.min.jsondist/cjs/bin/generate-icons-cache.js writes ./src/constants/iconInfo/reactNativeVectorIcons.lookup.jsondist/cjs/bin/generate-icons-cache.js writes ./src/constants/iconInfo/reactNativeVectorIcons.lookup.min.jsondist/cjs/bin/generate-icons-cache.js writes ./src/constants/iconInfo/types.ts
Network endpoints4
cdn.jsdelivr.net/npm/cdn.evlop.com/assets-info/icons.min.json?v=9www.googleapis.com/webfonts/v1/webfonts?key=AIzaSyBwRrjscdahzwbFlwDBqsxWBsX76tEBCvsfonts.googleapis.com/css

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cjs/src/helpers/functions.js exports loadPackage/loadJSONPModule that fetches URL text and evals it.
  • loadPackage builds https://cdn.jsdelivr.net/npm/${name}@${version}/dist/index.js or accepts external http(s) base URL.
  • dist/cjs/src/edl/index.js uses new Function to compile EDL-provided JS when renderBlock/renderModule is called.
  • dist/cjs/src/adapters/evaluateCode/index.js runs caller-supplied code in vm.runInNewContext.
Evidence against
  • package.json has no install/postinstall lifecycle hooks or bin entrypoint.
  • dist/cjs/main.js only re-exports library modules; dangerous functions require runtime caller invocation.
  • No credential harvesting, persistence, AI-agent control-surface writes, or automatic import-time network execution found.
  • Network endpoints are package/CDN-aligned or caller-controlled plugin/API URLs.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 324 file(s), 625 KB of source, external domains: api.example.com, cdn.evlop.com, cdn.jsdelivr.net, fonts.googleapis.com, www.googleapis.com

Source & flagged code

8 flagged · loading source
dist/esm/bin/generate-google-fonts-cache.jsView file
29patternName = google_api_key severity = high line = 29 matchedText = const fo...vs')
High
High Secret

Package contains a high-severity secret pattern.

dist/esm/bin/generate-google-fonts-cache.jsView on unpkg · L29
29patternName = google_api_key severity = high line = 29 matchedText = const fo...vs')
High
Secret Pattern

Google API key in dist/esm/bin/generate-google-fonts-cache.js

dist/esm/bin/generate-google-fonts-cache.jsView on unpkg · L29
dist/esm/src/adapters/evaluateCode/index.native.jsView file
3throw new Error('Context must be a object'); L4: const fn = eval(`(context)=>{ L5: ${Object.keys(context).map(key => `const ${key} = context['${key}'];`).join('\n')}
High
Eval

Package source references dynamic code evaluation.

dist/esm/src/adapters/evaluateCode/index.native.jsView on unpkg · L3
dist/esm/src/adapters/evaluateCode/index.jsView file
1import vm from 'vm'; L2: export default function evaluateCode(code, context) {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/esm/src/adapters/evaluateCode/index.jsView on unpkg · L1
dist/esm/src/helpers/functions.jsView file
21export function loadPackage(name, version) { L22: const url = isExternalUrl(name) ? `${name}/index.js` : `https://cdn.jsdelivr.net/npm/${name}@${version}/dist/index.js`; L23: return loadJSONPModule({ name: 'registerModule', url }); ... L26: return fetch(url) L27: .then(r => r.text()) L28: .then(moduleData => eval(`const ${name} = a => a;${moduleData};`)); L29: };
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/esm/src/helpers/functions.jsView on unpkg · L21
dist/cjs/src/helpers/functions.jsView file
Trigger-reachable chain: manifest.main -> dist/cjs/main.js -> dist/cjs/src/helpers/index.js -> dist/cjs/src/helpers/functions.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cjs/src/helpers/functions.jsView on unpkg
dist/cjs/src/edl/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @evlop/commons@1.0.383 matchedIdentity = npm:QGV2bG9wL2NvbW1vbnM:1.0.383 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cjs/src/edl/index.jsView on unpkg
dist/cjs/bin/generate-google-fonts-cache.jsView file
34patternName = google_api_key severity = high line = 34 matchedText = const fo...vs')
High
Secret Pattern

Google API key in dist/cjs/bin/generate-google-fonts-cache.js

dist/cjs/bin/generate-google-fonts-cache.jsView on unpkg · L34

Findings

3 Critical5 High4 Medium4 Low
CriticalRemote Asset Decode Executedist/esm/src/helpers/functions.js
CriticalTrigger Reachable Dangerous Capabilitydist/cjs/src/helpers/functions.js
CriticalPrevious Version Dangerous Deltadist/cjs/src/edl/index.js
HighHigh Secretdist/esm/bin/generate-google-fonts-cache.js
HighChild Process
HighEvaldist/esm/src/adapters/evaluateCode/index.native.js
HighSecret Patterndist/esm/bin/generate-google-fonts-cache.js
HighSecret Patterndist/cjs/bin/generate-google-fonts-cache.js
MediumUnsafe Vm Contextdist/esm/src/adapters/evaluateCode/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings