AI Security Review
scanned 2h ago · by lpm-firewall-aiThe exported file-preview UI dynamically injects unpinned JavaScript modules from `haina-datahub.zero2x.org` for Excel/CSV and PDF rendering. A compromise of that host can execute JavaScript in the consuming application's browser origin when the relevant preview component is rendered.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A consumer renders the exported `FilePreview` component for an `xlsx`, `csv`, or `pdf` file.
Impact
Remote asset-host compromise can run code in the consuming web application's origin; no install-time, Node-process, persistence, or data-exfiltration behavior was confirmed.
Mechanism
Dynamic browser script injection from hardcoded remote asset URLs.
Rationale
Static inspection resolves the package as a browser UI library with a concrete, user-triggered remote-code execution supply-chain surface: its FilePreview components inject executable scripts from a hardcoded external host without integrity pinning. This is a critical vulnerability and warrants a warning, but the inspected source does not establish malware intent or an install-time attack chain.
Evidence
package.jsones/index.jslib/index.jses/components/file-preview/index.jses/components/file-preview/util.jses/components/file-preview/excel-preview/index.jses/components/file-preview/pdf-preview/index.js
Network endpoints5
haina-datahub.zero2x.org/ossRoute/frontend/resources/npm/x-data-spreadsheet/1.1.9/dist/xspreadsheet.jshaina-datahub.zero2x.org/ossRoute/frontend/resources/npm/xlsx/0.18.5/dist/xlsx.full.min.jshaina-datahub.zero2x.org/ossRoute/frontend/resources/npm/papaparse/5.5.2/papaparse.min.jshaina-datahub.zero2x.org/ossRoute/frontend/resources/npm/pdfjs-dist/4.7.76/build/pdf.min.mjshaina-datahub.zero2x.org/ossRoute/frontend/resources/npm/pdfjs-dist/4.7.76/build/pdf.worker.min.mjs
Decision evidence
public snapshotAI called this Suspicious at 95.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `es/components/file-preview/util.js` dynamically appends `<script>` elements for `.js` and `.mjs` URLs without integrity or signature verification.
- `es/components/file-preview/excel-preview/index.js` supplies three hardcoded JavaScript URLs on `haina-datahub.zero2x.org` to that loader when its Excel/CSV preview component mounts.
- `es/components/file-preview/pdf-preview/index.js` similarly loads hardcoded `pdfjs-dist` module and worker URLs from `haina-datahub.zero2x.org` when its PDF preview component mounts.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` script; its only lifecycle script is `prepare: husky`, with no shipped `.husky` hook or `scripts/` payload found.
- `es/index.js` exports a browser React component library; `es/components/file-preview/index.js` reaches the remote loaders only after a consumer renders `FilePreview` for `xlsx`, `csv`, or `pdf` input.
- No Node built-in imports, `child_process`, filesystem writes, credential/token access, network exfiltration endpoint, persistence mechanism, AI-agent control-surface path, encoded payload, or reviewer-directed package text was found in the inspected package files.
- The static version diff reports no added files, lifecycle changes, dependency changes, or new capabilities; its generic `lib/index.js` dangerous-delta signal is not supported by the inspected bundled entrypoint or its corresponding ES component sources.
Behavioral surface
FilesystemNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcelib/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @zjlab-fe/data-hub-ui@0.23.0
matchedIdentity = npm:QHpqbGFiLWZlL2RhdGEtaHViLXVp:0.23.0
similarity = 0.992
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
lib/index.jsView on unpkgFindings
1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltalib/index.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings