AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a React admin SPA that communicates with a host-configured admin API after the host mounts or serves it.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer calls mount(), or a browser loads the standalone HTML.
Impact
No install-time execution, credential harvesting, exfiltration, persistence, or destructive behavior was found.
Mechanism
Renders an admin UI and issues configured API requests.
Rationale
Direct inspection supports a prebuilt React admin SPA with host-configured API access, not malicious behavior. Scanner flags are explained by ordinary bundled dependencies and the package's documented build-time compression plugin.
Evidence
package.jsonsrc/standalone.tsxvite.config.tsdist/standalone/assets/heavy-fields-Ctx9uZME.jsdist/standalone/assets/router-CT00z_xv.jssrc/index.tssrc/app.tsxsrc/mount.tsxsrc/runtime-config.tsdist/lib/index.jsdist/standalone/index.html
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with high false-positive risk.
Evidence for block
Evidence against
- package.json has no lifecycle scripts or bin entrypoint.
- src/index.ts exports React mounting and runtime-config APIs only.
- src/standalone.tsx mounts into #root using host-provided window config.
- vite.config.ts explains .gz/.br files as build-time static-asset compression.
- No bidi/invisible controls found in dist/standalone/assets/heavy-fields-Ctx9uZME.js.
- Bundled fetches target configured same-origin/admin API paths, not a hard-coded third-party endpoint.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/standalone/assets/heavy-fields-Ctx9uZME.jsView file
131contains invisible/control Unicode U+200D (zero width joiner)
`,f_=`️`,p_=`<U+200D>`,m_=``,h_=null,g_=null;function __(e=[]){let t={};tg.groups=t;let n=new tg;h_??=x_(Bh),g_??=x_(Vh),J(n,`'`,Mg),J(n,`{`,hg),J(n,`}`,gg),J(n,`[`,_g),J(n,`]`,vg),J(n,`(`,yg),J(n,`)`,bg),J(n,`<`,xg),J(n,`>`,Sg),J(n,`(`,Cg
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/standalone/assets/heavy-fields-Ctx9uZME.jsView on unpkg · L131dist/standalone/index.html.brView file
•path = dist/standalone/index.html.br
kind = compressed_blob
sizeBytes = 512
magicHex = [redacted]
Medium
Ships Compressed Blob
Package ships compressed or archive-like blobs.
dist/standalone/index.html.brView on unpkgdist/standalone/assets/heavy-fields-Ctx9uZME.js.gzView file
•path = dist/standalone/assets/heavy-fields-Ctx9uZME.js.gz
kind = high_entropy_blob
sizeBytes = 185587
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/standalone/assets/heavy-fields-Ctx9uZME.js.gzView on unpkgFindings
1 Critical1 High4 Medium4 Low
CriticalTrojan Source Unicodedist/standalone/assets/heavy-fields-Ctx9uZME.js
HighShips High Entropy Blobdist/standalone/assets/heavy-fields-Ctx9uZME.js.gz
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobdist/standalone/index.html.br
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings