registry  /  @zjlab-fe/data-hub-ui  /  0.24.0

@zjlab-fe/data-hub-ui@0.24.0

`import { InputTag } from '@zjlab-fe/data-hub-ui`

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The exported file-preview UI dynamically injects unpinned JavaScript modules from `haina-datahub.zero2x.org` for Excel/CSV and PDF rendering. A compromise of that host can execute JavaScript in the consuming application's browser origin when the relevant preview component is rendered.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A consumer renders the exported `FilePreview` component for an `xlsx`, `csv`, or `pdf` file.
Impact
Remote asset-host compromise can run code in the consuming web application's origin; no install-time, Node-process, persistence, or data-exfiltration behavior was confirmed.
Mechanism
Dynamic browser script injection from hardcoded remote asset URLs.
Rationale
Static inspection resolves the package as a browser UI library with a concrete, user-triggered remote-code execution supply-chain surface: its FilePreview components inject executable scripts from a hardcoded external host without integrity pinning. This is a critical vulnerability and warrants a warning, but the inspected source does not establish malware intent or an install-time attack chain.
Evidence
package.jsones/index.jslib/index.jses/components/file-preview/index.jses/components/file-preview/util.jses/components/file-preview/excel-preview/index.jses/components/file-preview/pdf-preview/index.js
Network endpoints5
haina-datahub.zero2x.org/ossRoute/frontend/resources/npm/x-data-spreadsheet/1.1.9/dist/xspreadsheet.jshaina-datahub.zero2x.org/ossRoute/frontend/resources/npm/xlsx/0.18.5/dist/xlsx.full.min.jshaina-datahub.zero2x.org/ossRoute/frontend/resources/npm/papaparse/5.5.2/papaparse.min.jshaina-datahub.zero2x.org/ossRoute/frontend/resources/npm/pdfjs-dist/4.7.76/build/pdf.min.mjshaina-datahub.zero2x.org/ossRoute/frontend/resources/npm/pdfjs-dist/4.7.76/build/pdf.worker.min.mjs

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `es/components/file-preview/util.js` dynamically appends `<script>` elements for `.js` and `.mjs` URLs without integrity or signature verification.
  • `es/components/file-preview/excel-preview/index.js` supplies three hardcoded JavaScript URLs on `haina-datahub.zero2x.org` to that loader when its Excel/CSV preview component mounts.
  • `es/components/file-preview/pdf-preview/index.js` similarly loads hardcoded `pdfjs-dist` module and worker URLs from `haina-datahub.zero2x.org` when its PDF preview component mounts.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` script; its only lifecycle script is `prepare: husky`, with no shipped `.husky` hook or `scripts/` payload found.
  • `es/index.js` exports a browser React component library; `es/components/file-preview/index.js` reaches the remote loaders only after a consumer renders `FilePreview` for `xlsx`, `csv`, or `pdf` input.
  • No Node built-in imports, `child_process`, filesystem writes, credential/token access, network exfiltration endpoint, persistence mechanism, AI-agent control-surface path, encoded payload, or reviewer-directed package text was found in the inspected package files.
  • The static version diff reports no added files, lifecycle changes, dependency changes, or new capabilities; its generic `lib/index.js` dangerous-delta signal is not supported by the inspected bundled entrypoint or its corresponding ES component sources.
Behavioral surface
Source
FilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 227 file(s), 981 KB of source, external domains: alidocs.dingtalk.com, haina-datahub.zero2x.org, www.unpkg.com, www.w3.org

Source & flagged code

1 flagged · loading source
lib/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zjlab-fe/data-hub-ui@0.23.0 matchedIdentity = npm:QHpqbGFiLWZlL2RhdGEtaHViLXVp:0.23.0 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

lib/index.jsView on unpkg

Findings

1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltalib/index.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings