registry  /  @evlop/commons  /  1.0.383

@evlop/commons@1.0.383

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package exposes user-invoked remote/code evaluation helpers as part of an EDL/component rendering framework. No confirmed malicious install-time or import-time payload was found, but the exported capability can execute remote or caller-provided JavaScript.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application calls loadPackage/loadJSONPModule, EDL.Render with js/url/edl script input, or evaluateCode with untrusted code
Impact
Code execution in the consuming application context if untrusted package names, URLs, EDL, or JS strings are passed
Mechanism
remote/caller-provided JavaScript execution via fetch plus eval/new Function/vm
Attack narrative
A consuming app can invoke exported helpers/components that fetch JavaScript from jsDelivr or an arbitrary URL and execute it with eval/new Function, or evaluate caller-supplied code directly. This is reachable from public exports but appears to be an intentional low-code/rendering capability rather than an automatic malicious payload.
Rationale
Static inspection confirms dangerous user-invoked remote/code execution primitives but not unconsented install/import execution, harvesting, persistence, or exfiltration. Treat as a warning for dangerous capability rather than a malicious publish block.
Evidence
package.jsondist/esm/src/helpers/functions.jsdist/esm/src/edl/index.jsdist/esm/src/adapters/evaluateCode/index.jsdist/esm/src/adapters/evaluateCode/index.native.jsdist/esm/bin/generate-google-fonts-cache.jsdist/esm/src/helpers/iconHelper.js./src/constants/googleFonts/variants.json./src/constants/googleFonts/variants.min.json
Network endpoints3
cdn.jsdelivr.net/npm/${name}@${version}/dist/index.jswww.googleapis.com/webfonts/v1/webfonts?key=AIzaSyBwRrjscdahzwbFlwDBqsxWBsX76tEBCvscdn.evlop.com/assets-info/icons.min.json?v=9

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/esm/src/helpers/functions.js exports loadPackage/loadJSONPModule that fetches remote JS then evals it
  • dist/esm/src/edl/index.js Render can load JS from a caller-provided url and execute it with new Function
  • dist/esm/src/adapters/evaluateCode/index.js runs caller-supplied code in vm.runInNewContext
  • dist/esm/src/adapters/evaluateCode/index.native.js evaluates caller-supplied code with eval
  • dist/esm/bin/generate-google-fonts-cache.js contains a Google Webfonts API key and writes generated cache files
Evidence against
  • package.json has no install/postinstall lifecycle hooks
  • Remote execution paths are exported utilities/components, not automatic install-time or import-time behavior
  • No credential harvesting, persistence, destructive actions, or exfiltration endpoints found
  • Network endpoints are Google Fonts, jsDelivr, evlop CDN, and caller-configured application URLs
  • main entrypoint broadly re-exports library modules without immediate network or shell execution
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 324 file(s), 623 KB of source, external domains: api.example.com, cdn.evlop.com, cdn.jsdelivr.net, fonts.googleapis.com, www.googleapis.com

Source & flagged code

7 flagged · loading source
dist/esm/bin/generate-google-fonts-cache.jsView file
29patternName = google_api_key severity = high line = 29 matchedText = const fo...vs')
High
High Secret

Package contains a high-severity secret pattern.

dist/esm/bin/generate-google-fonts-cache.jsView on unpkg · L29
29patternName = google_api_key severity = high line = 29 matchedText = const fo...vs')
High
Secret Pattern

Google API key in dist/esm/bin/generate-google-fonts-cache.js

dist/esm/bin/generate-google-fonts-cache.jsView on unpkg · L29
dist/esm/src/adapters/evaluateCode/index.native.jsView file
3throw new Error('Context must be a object'); L4: const fn = eval(`(context)=>{ L5: ${Object.keys(context).map(key => `const ${key} = context['${key}'];`).join('\n')}
High
Eval

Package source references dynamic code evaluation.

dist/esm/src/adapters/evaluateCode/index.native.jsView on unpkg · L3
dist/esm/src/adapters/evaluateCode/index.jsView file
1import vm from 'vm'; L2: export default function evaluateCode(code, context) {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/esm/src/adapters/evaluateCode/index.jsView on unpkg · L1
dist/esm/src/helpers/functions.jsView file
21export function loadPackage(name, version) { L22: const url = isExternalUrl(name) ? `${name}/index.js` : `https://cdn.jsdelivr.net/npm/${name}@${version}/dist/index.js`; L23: return loadJSONPModule({ name: 'registerModule', url }); ... L26: return fetch(url) L27: .then(r => r.text()) L28: .then(moduleData => eval(`const ${name} = a => a;${moduleData};`)); L29: };
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/esm/src/helpers/functions.jsView on unpkg · L21
dist/cjs/src/helpers/functions.jsView file
Trigger-reachable chain: manifest.main -> dist/cjs/main.js -> dist/cjs/src/helpers/index.js -> dist/cjs/src/helpers/functions.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cjs/src/helpers/functions.jsView on unpkg
dist/cjs/bin/generate-google-fonts-cache.jsView file
34patternName = google_api_key severity = high line = 34 matchedText = const fo...vs')
High
Secret Pattern

Google API key in dist/cjs/bin/generate-google-fonts-cache.js

dist/cjs/bin/generate-google-fonts-cache.jsView on unpkg · L34

Findings

2 Critical5 High4 Medium4 Low
CriticalRemote Asset Decode Executedist/esm/src/helpers/functions.js
CriticalTrigger Reachable Dangerous Capabilitydist/cjs/src/helpers/functions.js
HighHigh Secretdist/esm/bin/generate-google-fonts-cache.js
HighChild Process
HighEvaldist/esm/src/adapters/evaluateCode/index.native.js
HighSecret Patterndist/esm/bin/generate-google-fonts-cache.js
HighSecret Patterndist/cjs/bin/generate-google-fonts-cache.js
MediumUnsafe Vm Contextdist/esm/src/adapters/evaluateCode/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings