registry  /  @trustpayments/js-payments-card  /  2.2.1114

@trustpayments/js-payments-card@2.2.1114

TypeScript Payment Card

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious payload was found in the package runtime. The remaining risk is an install-time preinstall hook that runs npx force-resolutions.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install of the package
Impact
Unpinned external tool execution during install; no package-source evidence of exfiltration or destructive behavior.
Mechanism
install lifecycle invokes npx force-resolutions
Rationale
The package is not malicious by source evidence, but an install-time npx lifecycle hook is a real unresolved supply-chain risk worth warning on. Runtime entrypoints appear package-aligned for payment card input formatting/validation and DOM rendering.
Evidence
package.jsondist/index.jsdist/index.cjsdist/index.d.ts

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json has install-time lifecycle: "preinstall": "npx force-resolutions"
  • preinstall invokes npx rather than bundled package code, creating install-time external tool execution risk
Evidence against
  • dist/index.js and dist/index.cjs are browser card UI/validation bundles exporting Card
  • Runtime code manipulates DOM inputs/styles and bundled card assets; no fetch/XHR/WebSocket/sendBeacon found
  • No child_process, eval/Function, dynamic import/require, process.env, cookie/localStorage harvesting found
  • No AI-agent control-surface writes, persistence, destructive actions, or credential exfiltration found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Minified
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 156 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.preinstall = npx force-resolutions
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = npx force-resolutions
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present