registry  /  @uva-glass/component-library  /  3.57.3

@uva-glass/component-library@3.57.3

React components UvA

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a React component library with built dist assets, stories, fonts, and bundled Storybook/test helpers.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
importing exported React components or explicitly running package development/publish scripts
Impact
No credential theft, persistence, destructive action, or unauthorized network behavior identified
Mechanism
component exports and development build tooling
Rationale
Static inspection shows scanner hits are package-aligned build/storybook artifacts, font blobs, mock data, and normal library code. I found no concrete install-time or import-time malicious behavior.
Evidence
package.jsondist/index.jsdist/test-Gtly6H2f.jsdist/components/DataTable/DataTable.stories.jsdist/assets/fonts/SourceSans3-Regular.otf.woff2README.md

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare and prepublishOnly scripts, but they are publish/dev workflow commands
  • dist/test-Gtly6H2f.js contains a dynamic require shim from bundled Storybook runtime
  • dist/test-Gtly6H2f.js contains U+200C inside CSS selector parsing logic
Evidence against
  • package.json main/types point to dist/index.js, which only re-exports React components
  • No install/postinstall lifecycle hook or import-time shell execution found
  • rg found no child_process, fs writes, credential harvesting, or exfiltration code in runtime JS
  • Network URL hits are docs, SVG namespaces, Storybook/React/Lexical messages, or mock story data
  • High-entropy files are SourceSans font assets under dist/assets/fonts
  • dist/test-Gtly6H2f.js is Storybook/testing bundled code used by story files, not the main runtime entry
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVars
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 395 file(s), 3.64 MB of source, external domains: 123-reg.co.uk, addthis.com, alibaba.com, altervista.org, arizona.edu, army.mil, ask.com, biglobe.ne.jp, blog.com, bloglines.com, bloglovin.com, blogs.com, boston.com, cargocollective.com, census.gov, chronoengine.com, clickbank.net, cnbc.com, cnn.com, columbia.edu, constantcontact.com, cpanel.net, dailymotion.com, de.vu, discovery.com, discuz.net, dot.gov, drupal.org, ebay.co.uk, ebay.com, eepurl.com, examiner.com, exblog.jp, facebook.com, fema.gov, flavors.me, fotki.com, free.fr, ftc.gov, github.com, gnu.org, go.com, goo.ne.jp, google.com.br, google.de, google.es, google.it, google.nl, gov.uk, harvard.edu
Oversized source lightweight scan
dist/components/DataTable/DataTable.stories.js3.39 MB file, sampled 256 KB
UrlStrings123-reg.co.ukaddthis.comalibaba.comaltervista.orgarizona.eduarmy.milask.combiglobe.ne.jpblog.combloglines.combloglovin.comblogs.comboston.comcargocollective.comcensus.govchronoengine.comclickbank.netcnbc.comcnn.comcolumbia.educonstantcontact.comcpanel.netdailymotion.comde.vu

Source & flagged code

7 flagged · loading source
dist/test-Gtly6H2f.jsView file
11147contains invisible/control Unicode U+200C (zero width non-joiner) return t = t.replace(/("|')(?:\\\1|.)*?\1/g, (e) => e.replace(/,/g, "<U+200C>")), t.split(",").map((e) => sp(e.replace(/\u200C/g, ",")));
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/test-Gtly6H2f.jsView on unpkg · L11147
17090patternName = generic_password severity = medium line = 17090 matchedText = return e..., e;
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/test-Gtly6H2f.jsView on unpkg · L17090
17209patternName = generic_password severity = medium line = 17209 matchedText = return e..., e;
Medium
Secret Pattern

Hardcoded password in dist/test-Gtly6H2f.js

dist/test-Gtly6H2f.jsView on unpkg · L17209
dist/assets/fonts/SourceSans3-Regular.otf.woff2View file
path = dist/assets/fonts/SourceSans3-Regular.otf.woff2 kind = high_entropy_blob sizeBytes = 156716 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/fonts/SourceSans3-Regular.otf.woff2View on unpkg
dist/components/DataTable/DataTable.stories.jsView file
path = [redacted].stories.js kind = oversized_source_file sizeBytes = 3557029 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/components/DataTable/DataTable.stories.jsView on unpkg
dist/esm-BXzGXYWZ.jsView file
299patternName = generic_password severity = medium line = 299 matchedText = return e..., e;
Medium
Secret Pattern

Hardcoded password in dist/esm-BXzGXYWZ.js

dist/esm-BXzGXYWZ.jsView on unpkg · L299
436patternName = generic_password severity = medium line = 436 matchedText = return e..., e;
Medium
Secret Pattern

Hardcoded password in dist/esm-BXzGXYWZ.js

dist/esm-BXzGXYWZ.jsView on unpkg · L436

Findings

1 Critical2 High7 Medium6 Low
CriticalTrojan Source Unicodedist/test-Gtly6H2f.js
HighShips High Entropy Blobdist/assets/fonts/SourceSans3-Regular.otf.woff2
HighOversized Source Filedist/components/DataTable/DataTable.stories.js
MediumSecret Patterndist/test-Gtly6H2f.js
MediumDynamic Require
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/test-Gtly6H2f.js
MediumSecret Patterndist/esm-BXzGXYWZ.js
MediumSecret Patterndist/esm-BXzGXYWZ.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License