registry  /  @trustpayments/js-payments-card  /  2.2.1108

@trustpayments/js-payments-card@2.2.1108

TypeScript Payment Card

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only notable behavior is a manifest preinstall helper, while published entrypoints implement payment-card formatting, validation, DOM rendering, and styling.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install may run preinstall; application import/user input activates card UI code
Impact
No credential harvesting, exfiltration, persistence, or destructive action identified
Mechanism
install helper plus browser DOM card formatter
Rationale
Static inspection found an install-time preinstall script, but no package source showing malicious behavior or exfiltration. The runtime bundle is consistent with a payment-card UI component and uses local embedded assets and DOM manipulation only.
Evidence
package.jsondist/index.jsdist/index.cjsdist/index.d.tsREADME.md

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines preinstall: npx force-resolutions, an install-time command
Evidence against
  • dist/index.js and dist/index.cjs are bundled browser card UI/validation code using DOM APIs and embedded data:image logos
  • No fetch/XMLHttpRequest/WebSocket/sendBeacon or runtime network endpoints found in dist files
  • No fs, child_process, eval/Function, dynamic require/import, native binary loading, persistence, or destructive behavior found
  • README/package URLs are documentation/repository/test-environment references, not runtime exfiltration
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Minified
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 156 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.preinstall = npx force-resolutions
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = npx force-resolutions
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present