registry  /  @ytsaurus/ui  /  3.18.0

@ytsaurus/ui@3.18.0

User interface for a [YTsaurus platform](https://ytsaurus.tech) cluster.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No install-time or import-time attack behavior is established. Runtime network calls are application features configured by the host deployment or initiated by authenticated UI actions.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Starting the server or invoking its documented UI/API routes
Impact
No confirmed credential harvesting, exfiltration, persistence, destructive action, or remote payload execution
Mechanism
Express UI server proxies configured AI-chat and VCS requests
Rationale
Direct inspection finds a packaged YTsaurus web UI/server with no install lifecycle execution or concrete malicious chain. Scanner signals resolve to standard bundled Monaco compatibility code, configured application integrations, and legitimate Unicode isolation characters.
Evidence
package.jsondist/server/index.jsdist/server/configure-app.jsdist/server/components/ai-chat.jsdist/public/build/json.5239aa2e.worker.jsdist/public/build/js/6988.30d090b8.chunk.jsdist/server/routes.jsdist/server/controllers/ai-chat.jsdist/server/controllers/vcs.jsdist/server/components/vcs/GithubApi.jsdist/server/components/vcs/GitlabApi.jsdist/public/build/js/settings-panel.d671400c.chunk.js

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare hook; only prepublishOnly runs a build.
    • dist/server/index.js starts an Express application only when invoked as the main module.
    • dist/server/configure-app.js dynamically loads only configured local secret/cluster config paths and has no shell execution.
    • dist/server/components/ai-chat.js sends user-requested chat data only to a deployment-configured baseUrl.
    • dist/public/build/json.5239aa2e.worker.js uses importScripts/process.env as Monaco editor worker compatibility code.
    • dist/public/build/js/6988.30d090b8.chunk.js bidi controls are Unicode isolation marks in date-display strings, not obfuscated control flow.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 426 file(s), 11.0 MB of source, external domains: developer.mozilla.org, fb.me, github.com, h.yandex-team.ru, monitoring-service.my-domain.com, my.monitoring.service, www.eclipse.org, www.w3.org, yastatic.net, ytsaurus.tech
    Oversized source lightweight scan
    dist/public/build/js/6096.111e12fd.chunk.js3.14 MB file, sampled 256 KB
    ChildProcessHighEntropyStringsMinified

    Source & flagged code

    6 flagged · loading source
    dist/public/build/js/main.52404ee3.jsView file
    1(self.webpackChunk_ytsaurus_ui=self.webpackChunk_ytsaurus_ui||[]).push([["6909"],{64477:function(){},93503:function(e,t,r){var n={"./ru":"46653"};function i(e){return r(o(e))}funct... L2: font-size: .6rem;
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/public/build/js/main.52404ee3.jsView on unpkg · L1
    dist/server/render-layout.jsView file
    5Object.defineProperty(exports, "__esModule", { value: true }); L6: const path_1 = __importDefault(require("path")); L7: const app_layout_1 = require("@gravity-ui/app-layout");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/server/render-layout.jsView on unpkg · L5
    dist/public/build/json.5239aa2e.worker.jsView file
    1(()=>{"use strict";var e={1472:function(e,t,r){var n=r(6299),i=r(6790),o=TypeError;e.exports=function(e){if(n(e))return e;throw new o(i(e)+" is not a function")}},3762:function(e,t... L2: //# sourceMappingURL=json.5239aa2e.worker.js.map
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/public/build/json.5239aa2e.worker.jsView on unpkg · L1
    dist/public/build/js/6988.30d090b8.chunk.jsView file
    2contains invisible/control Unicode U+2068 (first strong isolate) Please try using another token.`),{type:"literal",contentType:"letter"})}(t),i=function(e,t,a){if("digit"!==e)return!1;switch(t){case"year":if(H(a))return"0001"===(0,j.dateTime)().set("year",1).format(a);return"01"===(0,j.dateTime)().set("y
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/public/build/js/6988.30d090b8.chunk.jsView on unpkg · L2
    dist/public/build/js/6096.111e12fd.chunk.jsView file
    path = dist/public/build/js/6096.111e12fd.chunk.js kind = oversized_source_file sizeBytes = 3288367 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/public/build/js/6096.111e12fd.chunk.jsView on unpkg
    dist/public/build/js/settings-panel.d671400c.chunk.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @ytsaurus/ui@3.17.0 matchedIdentity = npm:QHl0c2F1cnVzL3Vp:3.17.0 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/public/build/js/settings-panel.d671400c.chunk.jsView on unpkg

    Findings

    1 Critical4 High5 Medium9 Low
    CriticalTrojan Source Unicodedist/public/build/js/6988.30d090b8.chunk.js
    HighChild Process
    HighSame File Env Network Executiondist/public/build/json.5239aa2e.worker.js
    HighOversized Source Filedist/public/build/js/6096.111e12fd.chunk.js
    HighPrevious Version Dangerous Deltadist/public/build/js/settings-panel.d671400c.chunk.js
    MediumDynamic Requiredist/server/render-layout.js
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/public/build/js/main.52404ee3.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License