AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The only notable behavior is a manifest preinstall helper, while published entrypoints implement payment-card formatting, validation, DOM rendering, and styling.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install may run preinstall; application import/user input activates card UI code
Impact
No credential harvesting, exfiltration, persistence, or destructive action identified
Mechanism
install helper plus browser DOM card formatter
Rationale
Static inspection found an install-time preinstall script, but no package source showing malicious behavior or exfiltration. The runtime bundle is consistent with a payment-card UI component and uses local embedded assets and DOM manipulation only.
Evidence
package.jsondist/index.jsdist/index.cjsdist/index.d.tsREADME.md
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines preinstall: npx force-resolutions, an install-time command
Evidence against
- dist/index.js and dist/index.cjs are bundled browser card UI/validation code using DOM APIs and embedded data:image logos
- No fetch/XMLHttpRequest/WebSocket/sendBeacon or runtime network endpoints found in dist files
- No fs, child_process, eval/Function, dynamic require/import, native binary loading, persistence, or destructive behavior found
- README/package URLs are documentation/repository/test-environment references, not runtime exfiltration
Behavioral surface
Minified
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = npx force-resolutions
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.preinstall = npx force-resolutions
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present