registry  /  @fluidattacks/design  /  4.16.2

@fluidattacks/design@4.16.2

Fluid Attacks core components library

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a React design/component library with browser UI helpers, Cloudinary media helpers, localStorage state helpers, clipboard copy buttons, and bundled third-party libraries.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports and renders exported React components/hooks.
Impact
No credential exfiltration, install-time execution, persistence, or destructive action identified.
Mechanism
benign UI component library behavior
Rationale
Static inspection shows scanner hits are from bundled UI dependencies and package-aligned browser features, with no install-time or import-time malicious behavior. The bidi characters are data literals for date formatting, not Trojan Source manipulation.
Evidence
package.jsondist/index.jsdist/vendor-BBQctgLx.mjsdist/components-DIJCNlEu.mjsdist/context/next/index.jsdist/context/react/index.jsdist/globals/design-tokens-css/index.jsREADME.md
Network endpoints4
res.cloudinary.com/${e}res.cloudinary.com/${e}${e}-res.cloudinary.comdesign.fluidattacks.com

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; exports point to dist/index.js and dist/context/next/index.js.
    • dist/index.js only re-exports component/context/style modules and imports bundled vendor code.
    • dist/vendor-BBQctgLx.mjs dynamic require hits util.types compatibility code; process.env reads are NODE_ENV/Cloudinary SDK mode checks.
    • Trojan-source characters in dist/vendor-BBQctgLx.mjs are literal bidi isolates used as date-field text, not hidden control-flow source syntax.
    • Network-capable code is package-aligned: Cloudinary URL generation and lottie asset loading via XMLHttpRequest from caller-provided animation paths.
    • No child_process, filesystem access, credential harvesting, persistence, destructive behavior, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 192 file(s), 2.10 MB of source, external domains: bugzilla.mozilla.org, cloudinary.com, docs.docker.com, docs.microsoft.com, docs.swift.org, en.wikipedia.org, fb.me, github.com, kotlinlang.org, lodash.com, motion.dev, npms.io, openjdk.java.net, openjsf.org, res.cloudinary.com, stackoverflow.com, technet.microsoft.com, underscorejs.org, www.gnu.org, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/vendor-BBQctgLx.mjsView file
    28238contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/vendor-BBQctgLx.mjsView on unpkg · L28238
    Trigger-reachable chain: manifest.main -> dist/index.js -> dist/vendor-BBQctgLx.mjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/vendor-BBQctgLx.mjsView on unpkg
    4508try { L4509: var d = i && i.require && i.require("util").types; L4510: return d || o && o.binding && o.binding("util");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/vendor-BBQctgLx.mjsView on unpkg · L4508

    Findings

    2 Critical4 Medium4 Low
    CriticalTrojan Source Unicodedist/vendor-BBQctgLx.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/vendor-BBQctgLx.mjs
    MediumDynamic Requiredist/vendor-BBQctgLx.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License