registry  /  @tmf_ciclica/ciclicastorybook  /  1.2.161

@tmf_ciclica/ciclicastorybook@1.2.161

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The exported `PercentageBar` evaluates a string formula supplied in item data at render time. No install-time mutation, persistence, or exfiltration behavior was confirmed.

Static reason
One or more suspicious static signals were detected.
Trigger
A consuming application renders `PercentageBar` with an attacker-controlled `items[].translationFormula`.
Impact
Arbitrary JavaScript execution in the consuming application's browser origin.
Mechanism
Runtime dynamic JavaScript evaluation via `new Function`.
Rationale
This is a concrete browser-side code-injection capability exposed through a string prop, but the inspected source does not show malicious install-time or exfiltration behavior. Downgrade to warn for the vulnerability rather than blocking it as malware.
Evidence
dist/index.es.jsdist/index.cjs.jspackage.jsonREADME.md

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/index.es.js` evaluates `translationFormula` with `new Function`.
  • `PercentageBar` accepts `items[].translationFormula` as a string and invokes the evaluator during render.
  • A controlling application that passes untrusted item data can cause arbitrary JavaScript in its browser origin.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
  • No child-process, filesystem, credential-harvesting, or agent-control-surface code was found.
  • No `fetch`, XHR, WebSocket, or beacon use was found in the bundled ESM entrypoint.
  • Mapbox token reads and the default Mapbox RTL-plugin URL are map-component configuration, not exfiltration.
Behavioral surface
Source
ChildProcessEnvironmentVarsEval
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 2 file(s), 817 KB of source, external domains: api.mapbox.com, fb.me, fonts.googleapis.com, mui.com, unpkg.com, v7.mui.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/index.cjs.jsView file
80patternName = generic_password severity = medium line = 80 matchedText = To suppr...cle}
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.cjs.jsView on unpkg · L80
82${i?st.completed:""}`,style:o?{backgroundColor:t}:{},onClick:n.onClick,children:r+1}),r<e.length-1&&l.jsx("div",{className:st.connector})]}),l.jsx("div",{className:`${st.label} ${o... L83: ${o&&On.active}`,children:l.jsx("span",{className:On.buttonName,children:t(i)})})},r)})})};Zi.propTypes={buttons:s.arrayOf(s.shape({isActive:s.bool,name:s.string,onClick:s.func}))....
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.cjs.jsView on unpkg · L82
dist/index.es.jsView file
9390patternName = generic_password severity = medium line = 9390 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L9390

Findings

3 Medium6 Low
MediumSecret Patterndist/index.cjs.js
MediumEnvironment Vars
MediumSecret Patterndist/index.es.js
LowScripts Present
LowEvaldist/index.cjs.js
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License