registry  /  @rtzh/cesium  /  0.0.10

@rtzh/cesium@0.0.10

CesiumJS is a JavaScript library for creating 3D globes and 2D maps in a web browser without a plugin.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A `prepare` lifecycle hook can invoke Playwright browser/system-dependency installation after earlier commands fail. No credential theft, remote payload URL, or AI-agent control-surface mutation was confirmed.

Static reason
No blocking static signals were detected.; source closely matched a different package identity
Trigger
npm lifecycle execution of `prepare`
Impact
Unexpected browser download and host dependency installation during lifecycle execution.
Mechanism
lifecycle shell fallback to Playwright dependency installation
Rationale
Source inspection supports a warning for risky lifecycle behavior, not a malicious block. The runtime entrypoints are local Cesium loaders/re-exports and do not establish an attack chain.
Evidence
package.json.husky/pre-commitindex.cjsSource/Cesium.jsSource/ThirdParty/Workers/basis_transcoder.js

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines a `prepare` lifecycle command ending in `playwright install --with-deps`.
  • The referenced `gulp` files and `scripts/isCI.js` are absent, so the shell fallback can run when `prepare` is invoked.
Evidence against
  • `index.cjs` only selects local minified or unminified Cesium entrypoints based on `NODE_ENV`.
  • `Source/Cesium.js` is a re-export facade for `@rtzh/engine` and `@rtzh/widgets`.
  • `.husky/pre-commit` only invokes `npx lint-staged`; no agent-control configuration is present.
  • `basis_transcoder.js` is an Emscripten-style local WASM loader; no credential harvesting or exfiltration was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 230 file(s), 6.19 MB of source, external domains: cbk0.google.com, github.com, maps.google.com, www.apache.org, www.w3.org
Oversized source lightweight scan
Build/Cesium/Cesium.js5.47 MB file, sampled 256 KB
HighEntropyStringsMinified
Build/Cesium/index.cjs4.34 MB file, sampled 256 KB
ChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org
Build/Cesium/index.js4.29 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinifiedUrlStringsgithub.comwww.apache.org
Build/CesiumUnminified/Cesium.js13.8 MB file, sampled 256 KB
HighEntropyStringsUrlStringsgithub.com
Build/CesiumUnminified/index.cjs9.87 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsgithub.com
Build/CesiumUnminified/index.js9.78 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsgithub.com

Source & flagged code

5 flagged · loading source
Source/ThirdParty/Workers/basis_transcoder.jsView file
8L9: var Module=typeof BASIS!=="undefined"?BASIS:{};var readyPromiseResolve,readyPromiseReject;Module["ready"]=new Promise(function(resolve,reject){readyPromiseResolve=resolve;readyProm... L10:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

Source/ThirdParty/Workers/basis_transcoder.jsView on unpkg · L8
8L9: var Module=typeof BASIS!=="undefined"?BASIS:{};var readyPromiseResolve,readyPromiseReject;Module["ready"]=new Promise(function(resolve,reject){readyPromiseResolve=resolve;readyProm... L10:
Low
Eval

Package source references a known benign dynamic code generation pattern.

Source/ThirdParty/Workers/basis_transcoder.jsView on unpkg · L8
Source/ThirdParty/draco_decoder.wasmView file
path = Source/ThirdParty/draco_decoder.wasm kind = wasm_module sizeBytes = 285948 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

Source/ThirdParty/draco_decoder.wasmView on unpkg
Build/CesiumUnminified/index.jsView file
path = Build/CesiumUnminified/index.js kind = oversized_source_file sizeBytes = 10253551 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

Build/CesiumUnminified/index.jsView on unpkg
Build/CesiumUnminified/Workers/transcodeKTX2.jsView file
matchType = package_source_clone_identity_mismatch matchedPackage = cesium@1.143.0 matchedPath = [redacted]-web-worker.js matchedIdentity = npm:Y2VzaXVt:1.143.0 similarity = 0.637 shingleOverlap = 51 summary = source files closely matched a different published package identity
High
Package Source Clone Identity Mismatch

Package source closely matches a different published package identity; review for dependency-confusion or copied-code abuse.

Build/CesiumUnminified/Workers/transcodeKTX2.jsView on unpkg

Findings

2 High5 Medium7 Low
HighOversized Source FileBuild/CesiumUnminified/index.js
HighPackage Source Clone Identity MismatchBuild/CesiumUnminified/Workers/transcodeKTX2.js
MediumDynamic RequireSource/ThirdParty/Workers/basis_transcoder.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm ModuleSource/ThirdParty/draco_decoder.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalSource/ThirdParty/Workers/basis_transcoder.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings