AI Security Review
scanned 11m ago · by lpm-firewall-aiNo confirmed malware or install-time attack behavior was found. The package does expose high-risk browser runtime capabilities for dynamic component/script loading and content-derived chart evaluation.
Decision evidence
public snapshot- farris.x-ui.esm.js:5860-5940 contains a runtime loader that appends caller-provided script/link elements to document
- farris.x-ui.esm.js:9996 evaluates ECharts option text with new Function from rendered content
- farris.x-ui.esm.js:239 fetches attachment URLs with credentials:"include" at user/runtime action
- package.json has no scripts, bin, preinstall, install, or postinstall hooks
- No Node fs, child_process, process.env, shell execution, persistence, or agent control-surface writes found
- Network URLs are browser/runtime inputs or package-aligned CDN/docs for Monaco/highlight assets
- No hardcoded credential exfiltration endpoint found
- Bidi/invisible Unicode hit is inside bundled dependency character tables, not deceptive source control flow
Source & flagged code
4 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
farris.x-ui.esm.jsView on unpkg · L1331A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
farris.x-ui.esm.jsView on unpkgPackage source references dynamic require/import behavior.
farris.x-ui.esm.jsView on unpkg · L10112Package source references a known benign dynamic code generation pattern.
farris.x-ui.esm.jsView on unpkg · L9995