registry  /  @fluidattacks/design  /  4.16.3

@fluidattacks/design@4.16.3

Fluid Attacks core components library

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are bundled UI/library code used for React components, Cloudinary media URLs, CSV export, lottie, lodash, and browser helpers.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing or using exported React components/hooks
Impact
No credential theft, persistence, destructive action, or unauthorized network exfiltration identified
Mechanism
Benign UI component library behavior
Rationale
Static inspection shows a normal bundled React design-system package; scanner hits map to common dependency/runtime patterns and package-aligned browser helpers rather than concrete attack behavior. There are no lifecycle hooks, privileged Node APIs, credential harvesting, persistence, or exfiltration paths.
Evidence
package.jsonREADME.mddist/index.jsdist/components-Bys1Jmds.mjsdist/vendor-BBQctgLx.mjsdist/context/next/index.jsdist/hooks/index.jsdist/components/cloud-image/index.jsdist/utils/index.js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/vendor-BBQctgLx.mjs contains bundled Function("return this") and dynamic require("util").types patterns from common libraries
  • dist/vendor-BBQctgLx.mjs contains one control character inside lottie text splitting logic
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and only publishes README.md plus dist
  • dist/index.js is a React component barrel importing local dist modules and CSS
  • dist/components-Bys1Jmds.mjs localStorage helpers only read/write caller-provided UI state keys
  • dist/components-Bys1Jmds.mjs openUrl validates http/https or relative URLs before window.open
  • dist/vendor-BBQctgLx.mjs network strings are Cloudinary URL construction and bundled docs, not exfiltration
  • No child_process/fs writes, native binaries, credential harvesting, or suspicious package-file mutations found
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 192 file(s), 2.10 MB of source, external domains: bugzilla.mozilla.org, cloudinary.com, docs.docker.com, docs.microsoft.com, docs.swift.org, en.wikipedia.org, fb.me, github.com, kotlinlang.org, lodash.com, motion.dev, npms.io, openjdk.java.net, openjsf.org, res.cloudinary.com, stackoverflow.com, technet.microsoft.com, underscorejs.org, www.gnu.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist/vendor-BBQctgLx.mjsView file
28238contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/vendor-BBQctgLx.mjsView on unpkg · L28238
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/vendor-BBQctgLx.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/vendor-BBQctgLx.mjsView on unpkg
4508try { L4509: var d = i && i.require && i.require("util").types; L4510: return d || o && o.binding && o.binding("util");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/vendor-BBQctgLx.mjsView on unpkg · L4508

Findings

2 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/vendor-BBQctgLx.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/vendor-BBQctgLx.mjs
MediumDynamic Requiredist/vendor-BBQctgLx.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License