AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser/editor compatibility bundle with user-invoked asset loading and ODT/tree-sitter WASM support.
Decision evidence
public snapshot- dist/kerebron.js has user-invoked fetch in createAssetLoad for caller-provided asset base
- dist/kerebron.js dynamically imports local odt_parser.internal-PfZhgDYB.js and instantiates caller-loaded WASM assets
- dist/kerebron.js uses browser localStorage for editor snapshots/menu order
- package.json has no lifecycle scripts; main/module point only to dist bundles
- No child_process, fs file harvesting, process.env, credential collection, or exfiltration endpoints found
- Network use is asset loading for tree-sitter/ODT WASM and README documents jsdelivr asset bases
- Bidi/Trojan-source control search found no matches in inspected JS bundles
- Import-time behavior is library definitions plus benign localStorage hydration, not project mutation
Source & flagged code
3 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/kerebron.cjsView on unpkg · L16A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/kerebron.cjsView on unpkgPackage source references a known benign dynamic code generation pattern.
dist/kerebron.cjsView on unpkg · L26