registry  /  @fluidattacks/design  /  4.16.1

@fluidattacks/design@4.16.1

Fluid Attacks core components library

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Observed network and storage primitives are aligned with a React design/component library and bundled dependencies.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing or rendering exported React components
Impact
No unauthorized execution, exfiltration, persistence, or destructive behavior identified
Mechanism
UI components, Cloudinary URL generation, lottie asset loading, and local UI state storage
Rationale
Static inspection shows a bundled React component library with package-aligned browser APIs and no install-time/import-time malicious behavior. Scanner findings appear to be noisy matches on bundled libraries such as Cloudinary, lodash, motion, React Aria, and lottie.
Evidence
package.jsondist/index.jsdist/vendor-BBQctgLx.mjsdist/components-DGr7DiW8.mjsREADME.md
Network endpoints6
design.fluidattacks.comfluidattacks.com/res.cloudinary.com/fluid-attacks/image/upload/v1728418266/airs/logo/logo_full.pngdocs.fluidattacks.com/internal/engineering/components/designsdocs.fluidattacks.com/internal/engineering/contributingres.cloudinary.com/

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks and exports only dist entrypoints.
    • dist/index.js only re-exports component modules and imports CSS/vendor bundles.
    • dist/vendor-BBQctgLx.mjs require/Function/process.env hits are bundled dependency compatibility/dev checks, not payload loading.
    • XMLHttpRequest in dist/vendor-BBQctgLx.mjs is lottie asset loading from caller-provided animation paths.
    • localStorage use in dist/components-DGr7DiW8.mjs stores UI/query state by caller-provided keys only.
    • No child_process, credential harvesting, destructive file writes, persistence, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 192 file(s), 2.10 MB of source, external domains: bugzilla.mozilla.org, cloudinary.com, docs.docker.com, docs.microsoft.com, docs.swift.org, en.wikipedia.org, fb.me, github.com, kotlinlang.org, lodash.com, motion.dev, npms.io, openjdk.java.net, openjsf.org, res.cloudinary.com, stackoverflow.com, technet.microsoft.com, underscorejs.org, www.gnu.org, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/vendor-BBQctgLx.mjsView file
    28238contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/vendor-BBQctgLx.mjsView on unpkg · L28238
    Trigger-reachable chain: manifest.main -> dist/index.js -> dist/vendor-BBQctgLx.mjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/vendor-BBQctgLx.mjsView on unpkg
    4508try { L4509: var d = i && i.require && i.require("util").types; L4510: return d || o && o.binding && o.binding("util");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/vendor-BBQctgLx.mjsView on unpkg · L4508

    Findings

    2 Critical4 Medium4 Low
    CriticalTrojan Source Unicodedist/vendor-BBQctgLx.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/vendor-BBQctgLx.mjs
    MediumDynamic Requiredist/vendor-BBQctgLx.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License