registry  /  @modern-admin/web  /  0.3.0

@modern-admin/web@0.3.0

Pre-built React admin SPA. Mount it into a host page or let @modern-admin/nest serve the standalone bundle.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a React admin SPA that communicates with a host-configured admin API after the host mounts or serves it.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer calls mount(), or a browser loads the standalone HTML.
Impact
No install-time execution, credential harvesting, exfiltration, persistence, or destructive behavior was found.
Mechanism
Renders an admin UI and issues configured API requests.
Rationale
Direct inspection supports a prebuilt React admin SPA with host-configured API access, not malicious behavior. Scanner flags are explained by ordinary bundled dependencies and the package's documented build-time compression plugin.
Evidence
package.jsonsrc/standalone.tsxvite.config.tsdist/standalone/assets/heavy-fields-Ctx9uZME.jsdist/standalone/assets/router-CT00z_xv.jssrc/index.tssrc/app.tsxsrc/mount.tsxsrc/runtime-config.tsdist/lib/index.jsdist/standalone/index.html

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with high false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts or bin entrypoint.
    • src/index.ts exports React mounting and runtime-config APIs only.
    • src/standalone.tsx mounts into #root using host-provided window config.
    • vite.config.ts explains .gz/.br files as build-time static-asset compression.
    • No bidi/invisible controls found in dist/standalone/assets/heavy-fields-Ctx9uZME.js.
    • Bundled fetches target configured same-origin/admin API paths, not a hard-coded third-party endpoint.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 70 file(s), 2.79 MB of source, external domains: bit.ly, github.com, json-schema.org, prosemirror.net, react.dev, redux-toolkit.js.org, redux.js.org, socket.io, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/standalone/assets/heavy-fields-Ctx9uZME.jsView file
    131contains invisible/control Unicode U+200D (zero width joiner) `,f_=`️`,p_=`<U+200D>`,m_=``,h_=null,g_=null;function __(e=[]){let t={};tg.groups=t;let n=new tg;h_??=x_(Bh),g_??=x_(Vh),J(n,`'`,Mg),J(n,`{`,hg),J(n,`}`,gg),J(n,`[`,_g),J(n,`]`,vg),J(n,`(`,yg),J(n,`)`,bg),J(n,`<`,xg),J(n,`>`,Sg),J(n,`(`,Cg
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/standalone/assets/heavy-fields-Ctx9uZME.jsView on unpkg · L131
    dist/standalone/index.html.brView file
    path = dist/standalone/index.html.br kind = compressed_blob sizeBytes = 512 magicHex = [redacted]
    Medium
    Ships Compressed Blob

    Package ships compressed or archive-like blobs.

    dist/standalone/index.html.brView on unpkg
    dist/standalone/assets/heavy-fields-Ctx9uZME.js.gzView file
    path = dist/standalone/assets/heavy-fields-Ctx9uZME.js.gz kind = high_entropy_blob sizeBytes = 185587 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    dist/standalone/assets/heavy-fields-Ctx9uZME.js.gzView on unpkg

    Findings

    1 Critical1 High4 Medium4 Low
    CriticalTrojan Source Unicodedist/standalone/assets/heavy-fields-Ctx9uZME.js
    HighShips High Entropy Blobdist/standalone/assets/heavy-fields-Ctx9uZME.js.gz
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Compressed Blobdist/standalone/index.html.br
    MediumStructural Risk Force Deep Review
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings