AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a React component library with built dist assets, stories, fonts, and bundled Storybook/test helpers.
Decision evidence
public snapshot- package.json has prepare and prepublishOnly scripts, but they are publish/dev workflow commands
- dist/test-Gtly6H2f.js contains a dynamic require shim from bundled Storybook runtime
- dist/test-Gtly6H2f.js contains U+200C inside CSS selector parsing logic
- package.json main/types point to dist/index.js, which only re-exports React components
- No install/postinstall lifecycle hook or import-time shell execution found
- rg found no child_process, fs writes, credential harvesting, or exfiltration code in runtime JS
- Network URL hits are docs, SVG namespaces, Storybook/React/Lexical messages, or mock story data
- High-entropy files are SourceSans font assets under dist/assets/fonts
- dist/test-Gtly6H2f.js is Storybook/testing bundled code used by story files, not the main runtime entry
Source & flagged code
7 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/test-Gtly6H2f.jsView on unpkg · L11147Package contains a possible secret pattern.
dist/test-Gtly6H2f.jsView on unpkg · L17090Hardcoded password in dist/test-Gtly6H2f.js
dist/test-Gtly6H2f.jsView on unpkg · L17209Package ships high-entropy non-source blobs.
dist/assets/fonts/SourceSans3-Regular.otf.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
dist/components/DataTable/DataTable.stories.jsView on unpkg