registry  /  @syncfusion/ej2-base  /  34.1.29

@syncfusion/ej2-base@34.1.29

A common package of Essential JS 2 base libraries, methods and class definitions

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are tied to an explicit Syncfusion license/package maintenance CLI and normal browser networking helpers.

Static reason
One or more suspicious static signals were detected.
Trigger
User explicitly runs npx syncfusion-license activate or validate, or app code calls exported Ajax/Fetch/license helpers.
Impact
May update local package.json or Syncfusion license placeholders; no evidence of unconsented install-time execution or exfiltration.
Mechanism
User-invoked license activation and package-version validation
Rationale
Static inspection found obfuscated CLI code with filesystem writes and npm view execution, but it is not lifecycle-triggered and is aligned with explicit Syncfusion license activation/validation. Runtime network APIs are library features or license/account links, with no fixed exfiltration or malicious install-time behavior.
Evidence
package.jsonbin/syncfusion-license.jsindex.jssrc/ajax.jssrc/fetch.jssrc/validate-lic.jsdist/ej2-base.umd.min.jsdist/ej2-base.min.js./syncfusion-license.txt./package.json./node_modules/@syncfusion/ej2-base/src/validate-lic.js./node_modules/@syncfusion/ej2-base/dist/es6/ej2-base.es2015.js./node_modules/@syncfusion/ej2-base/dist/es6/ej2-base.es5.js./node_modules/@syncfusion/ej2-base/dist/ej2-base.umd.min.js
Network endpoints5
github.com/syncfusion/ej2-javascript-ui-controls.gitwww.syncfusion.com/javascript-ui-controlswww.syncfusion.com/account/claim-license-key?pl=SmF2YVNjcmlwdA==&vs=MzQ=&utm_source=es_license_validation_banner&utm_medium=listing&utm_campaign=license-informationsupport.syncfusion.com/create?utm_source=es_license_validation_banner&utm_medium=listing&utm_campaign=license-informationwww.syncfusion.com/forums?utm_source=es_license_validation_banner&utm_medium=listing&utm_campaign=license-information

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/syncfusion-license.js is obfuscated and exposes a syncfusion-license bin.
  • bin/syncfusion-license.js can read SYNCFUSION_LICENSE, ./syncfusion-license.txt, or a user-supplied path.
  • bin/syncfusion-license.js can write ./package.json and @syncfusion/ej2-base license placeholders during explicit activate/validate.
  • bin/syncfusion-license.js uses child_process.exec for npm view during explicit validate.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • index.js only re-exports src modules; import does not run the CLI.
  • src/ajax.js and src/fetch.js implement user-directed Ajax/Fetch wrappers, not fixed exfiltration endpoints.
  • src/validate-lic.js performs Syncfusion license checks and UI banner/overlay rendering.
  • CLI validates package names before npm view and is scoped to @syncfusion dependency maintenance.
  • No credential harvesting, persistence, destructive behavior, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 48 file(s), 2.37 MB of source, external domains: 150.107.121.2, ej2services.syncfusion.com, hub-cloud.browserstack.com, support.syncfusion.com, www.syncfusion.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/ej2-base.min.jsView file
9*/ L10: !function(M,t){"object"==typeof exports&&"object"==typeof module?module.exports=t():"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?exports.SyncfusionBa...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/ej2-base.min.jsView on unpkg · L9
bin/syncfusion-license.jsView file
1#! /usr/bin/env node L2: 'use strict';const _0x4ecdc6=_0xd774;(function(_0x250c29,_0x27b2cd){const _0x1befe6=_0xd774,_0x349a10=_0x250c29();while(!![]){try{const _0xb63cc0=-parseInt(_0x1befe6(0x21e))/0x1*(p...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

bin/syncfusion-license.jsView on unpkg · L1
1#! /usr/bin/env node L2: 'use strict';const _0x4ecdc6=_0xd774;(function(_0x250c29,_0x27b2cd){const _0x1befe6=_0xd774,_0x349a10=_0x250c29();while(!![]){try{const _0xb63cc0=-parseInt(_0x1befe6(0x21e))/0x1*(p...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/syncfusion-license.jsView on unpkg · L1

Findings

2 High3 Medium5 Low
HighObfuscated Payload Loaderbin/syncfusion-license.js
HighObfuscated
MediumDynamic Requirebin/syncfusion-license.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowEvaldist/ej2-base.min.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License