AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious package attack surface is established. Runtime network use loads user-configured media, social embeds, maps, and SVG assets; the Lottie evaluator supports animation expressions only when a Lottie component processes them.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer renders configured media, embed, map, SVG, or Lottie components.
Impact
No install-time execution, host mutation, credential harvesting, persistence, or exfiltration chain was found.
Mechanism
browser-side component asset loading and Lottie expression evaluation
Rationale
Direct inspection contradicts the scanner's malicious label: the package is a browser-component distribution with no lifecycle execution or Node host-access primitives. Its eval, network APIs, and bidi literals are attributable to Lottie rendering, configured component assets/embeds, and date UI formatting.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/DateField.jsdist/site/components/TextInput/component.jsdist/site/components/chunks/svg.js
Network endpoints3
www.tiktok.com/player/v1/${videoId}maps.googleapis.com/maps/api/jsstatic.wixstatic.com/shapes
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/site/components/Lottie/component.js` evaluates Lottie animation-expression text at runtime.
- `dist/site/components/Lottie/component.js` and media/UI components use fetch/XHR for supplied assets and embeds.
- `dist/site/components/chunks/DateField.js` contains bidi isolates as literal date-formatting segments.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- Published files are limited to `dist/site`; exports are browser component entrypoints.
- No distributed `child_process`, filesystem, shell, credential-path, or package-manager config access was found.
- The sole eval is within bundled Lottie expression support, not install/import-time execution.
- DateField bidi characters are explicit UI literal values, not hidden source control flow.
- Observed URLs are component-aligned third-party embed/map resources, not an exfiltration endpoint.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/DateField.jsView file
6423contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/DateField.jsView on unpkg · L6423dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/DateField.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings