registry  /  @hubsync/esign-web-sdk  /  6.9.53

@hubsync/esign-web-sdk@6.9.53

Verdocs Web SDK

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. On user import and component use, this browser SDK loads its own chunks and communicates with Verdocs service endpoints and its feature-flag endpoint.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the browser SDK or mounts its signing/contact-picker components.
Impact
Expected e-signing SDK network activity; no install-time mutation, persistence, or exfiltration chain found.
Mechanism
Browser UI components call configured Verdocs APIs and retrieve feature flags.
Rationale
Direct source inspection shows a browser e-signing component library with package-aligned Verdocs API and feature-flag traffic. The flagged polyfill and dynamic-loader patterns do not form a concrete malicious chain.
Evidence
package.jsondist/collection/utils/Environment.jsdist/collection/utils/Unleash.jsdist/cjs/verdocs-sign.cjs.entry.jsdist/cjs/verdocs-contact-picker.cjs.entry.jsdist/verdocs-web-sdk/verdocs-web-sdk.jsREADME.md
Network endpoints3
api.verdocs.comstage-api.verdocs.comunleash.verdocs.com/api/frontend

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/collection/utils/Unleash.js` requests configured feature flags from `https://unleash.verdocs.com/api/frontend`.
  • `dist/verdocs-web-sdk/verdocs-web-sdk.js` contains Stencil/SystemJS browser polyfills and source-relative chunk loading.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or prepublish lifecycle hook.
  • `dist/collection/utils/Environment.js` configures only Verdocs production/staging API origins.
  • `dist/cjs/verdocs-sign.cjs.entry.js` uses the declared Verdocs SDK for signing-envelope operations.
  • No `child_process`, Node filesystem, credential-harvesting, AI-agent-control, or direct eval/new-Function behavior was found in distributed JavaScript.
  • The scanner's builtin mutation matches browser compatibility polyfills, not network interception or data forwarding.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 578 file(s), 13.5 MB of source, external domains: api.verdocs.com, app.verdocs.com, beta.verdocs.com, chat.stenciljs.com, date-fns.org, developer.mozilla.org, en.wikipedia.org, fonts.gstatic.com, github.com, polymer.github.io, stage-api.verdocs.com, stage.verdocs.com, stenciljs.com, unleash.verdocs.com, verdocs.com, www.google.com, www.unicode.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.cjs.jsView on unpkg · L1
dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
10* core-js 3.6.5 L11: * https://github.com/zloirock/core-js L12: * License: http://rock.mit-license.org ... L14: */ L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export... L16: ... L18: // IIFE version L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret... L20:
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10

Findings

1 Critical4 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings