registry  /  @fluidattacks/design  /  4.16.7

@fluidattacks/design@4.16.7

⚠ Under review

Fluid Attacks core components library

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 192 file(s), 2.10 MB of source, external domains: bugzilla.mozilla.org, cloudinary.com, docs.docker.com, docs.microsoft.com, docs.swift.org, en.wikipedia.org, fb.me, github.com, kotlinlang.org, lodash.com, motion.dev, npms.io, openjdk.java.net, openjsf.org, res.cloudinary.com, stackoverflow.com, technet.microsoft.com, underscorejs.org, www.gnu.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist/vendor-BBQctgLx.mjsView file
28238contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/vendor-BBQctgLx.mjsView on unpkg · L28238
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/vendor-BBQctgLx.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/vendor-BBQctgLx.mjsView on unpkg
4508try { L4509: var d = i && i.require && i.require("util").types; L4510: return d || o && o.binding && o.binding("util");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/vendor-BBQctgLx.mjsView on unpkg · L4508

Findings

2 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/vendor-BBQctgLx.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/vendor-BBQctgLx.mjs
MediumDynamic Requiredist/vendor-BBQctgLx.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License