AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a React design/component library with browser UI helpers, Cloudinary media helpers, localStorage state helpers, clipboard copy buttons, and bundled third-party libraries.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall lifecycle hooks; exports point to dist/index.js and dist/context/next/index.js.
- dist/index.js only re-exports component/context/style modules and imports bundled vendor code.
- dist/vendor-BBQctgLx.mjs dynamic require hits util.types compatibility code; process.env reads are NODE_ENV/Cloudinary SDK mode checks.
- Trojan-source characters in dist/vendor-BBQctgLx.mjs are literal bidi isolates used as date-field text, not hidden control-flow source syntax.
- Network-capable code is package-aligned: Cloudinary URL generation and lottie asset loading via XMLHttpRequest from caller-provided animation paths.
- No child_process, filesystem access, credential harvesting, persistence, destructive behavior, or AI-agent control-surface writes found.
Source & flagged code
3 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/vendor-BBQctgLx.mjsView on unpkg · L28238A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/vendor-BBQctgLx.mjsView on unpkgPackage source references dynamic require/import behavior.
dist/vendor-BBQctgLx.mjsView on unpkg · L4508