registry  /  @goplusvn/core  /  0.1.21

@goplusvn/core@0.1.21

GoPlusVN Platform Kit - ERP kernel: layout, RBAC, CRUD, multi-tenant, system pages

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by source inspection. Observed network use is normal app/API UI behavior or package metadata links.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports package modules or explicitly runs project scripts.
Impact
No install-time execution, credential harvesting, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation confirmed.
Mechanism
ERP UI/core library components and services.
Rationale
The suspicious signals are explained by package metadata, relative application API fetches, environment-based configuration flags, and inert local maintenance Python scripts. No concrete malicious chain remains after inspection.
Evidence
package.jsonsrc/index.tssrc/user/components/unified-profile-dialog.tsxsrc/ui/forms/update_search.pysrc/ui/forms/update_multiselect.pysrc/ui/forms/upgrade_multiselect.pysrc/ui/forms/multi-select.tsx
Network endpoints4
registry.npmjs.orggithub.com/goeatvn/goerp.gitgithub.com/Qualiorapurecatamphetamine.github.io/country-flag-icons/3x2/${country}.svg

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks.
    • src/index.ts only re-exports package modules.
    • Scanner-highlighted profile dialog fetches relative app API routes and handles user-entered password via app callbacks/payloads.
    • Python helper scripts are not referenced by lifecycle scripts, exports, or the main entrypoint.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 402 file(s), 1.69 MB of source, external domains: github.com, google.com, purecatamphetamine.github.io, www.example.com, www.w3.org

    Source & flagged code

    2 flagged · loading source
    src/user/components/unified-profile-dialog.tsxView file
    283patternName = generic_password severity = medium line = 283 matchedText = payload....56";
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    src/user/components/unified-profile-dialog.tsxView on unpkg · L283
    src/ui/forms/update_search.pyView file
    path = src/ui/forms/update_search.py kind = build_helper sizeBytes = 1662 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    src/ui/forms/update_search.pyView on unpkg

    Findings

    4 Medium4 Low
    MediumSecret Patternsrc/user/components/unified-profile-dialog.tsx
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helpersrc/ui/forms/update_search.py
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License