registry  /  brep-io-kernel  /  1.0.281

brep-io-kernel@1.0.281

- [NPM package: `brep-io-kernel` https://www.npmjs.com/package/brep-io-kernel](https://www.npmjs.com/package/brep-io-kernel) - [Live API examples https://BREP.io/apiExamples/index.html](https://BREP.io/apiExamples/index.html) - [Developer Discord https:

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are package-aligned CAD/runtime features: static serving, WASM geometry modules, GitHub-backed storage, and explicit plugin loading.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User import or explicit CLI/app/plugin/storage use; no install-time trigger.
Impact
No evidence of unconsented credential theft, persistence, destructive behavior, or covert exfiltration.
Mechanism
CAD kernel with static server, WASM geometry loaders, GitHub storage, and user-invoked plugins.
Rationale
Static inspection found suspicious scanner signals, but the concrete code paths are package-aligned CAD functionality and user-invoked storage/plugin features. There is no lifecycle execution, covert endpoint, credential harvesting, persistence, or destructive behavior in the inspected source.
Evidence
package.jsondist-kernel/bin/brep-io-kernel.jsdist-kernel/brep-kernel.jsdist-kernel/vhacd-C8k5e0Pv.jsdist-kernel/manifold-Dae-4w_d.jssrc/githubStorage.tssrc/plugins/pluginManager.tssrc/plugins/ghLoader.worker.tssrc/BREP/setupManifold.tsdist/** served by dist-kernel/bin/brep-io-kernel.js when CLI is runGitHub repo paths under brep-storage/ when user configures GitHub storage
Network endpoints3
api.github.comraw.githubusercontent.comcdn.jsdelivr.net

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks; scripts are build/test/dev only.
    • dist-kernel/bin/brep-io-kernel.js is a user-invoked static server reading package dist files with path traversal guard.
    • dist-kernel/brep-kernel.js imports CAD/BREP modules and bundled license text; no credential harvesting observed at import.
    • dist-kernel/vhacd-C8k5e0Pv.js and manifold bundles are Emscripten/WASM glue for geometry libraries, explaining require/Function/WebAssembly hits.
    • src/githubStorage.ts sends user-provided GitHub tokens only to GitHub API/content URLs for configured repo storage.
    • Plugin loading in src/plugins/pluginManager.ts is explicit user-provided repo/URL behavior, not install-time or hidden execution.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 552 file(s), 25.1 MB of source, external domains: api.github.com, autodrop3d.com, babel.dev, blog.izs.me, brep.io, bugs.debian.org, cdn.jsdelivr.net, core-js.io, creativecommons.org, dejavu-fonts.github.io, design.ubuntu.com, developer.mozilla.org, dxf.vercel.app, example.com, github.com, html2canvas.hertzen.com, jcgt.org, marked.js.org, n8.io, openfontlicense.org, rapier.rs, raw.githubusercontent.com, schemas.microsoft.com, schemas.openxmlformats.org, scripts.sil.org, stuartk.com, tc39.es, threejs.org, www.boutrosfonts.com, www.debian.org, www.gnu.org, www.jmsole.cl, www.tipo.net.ar, www.w3.org
    Oversized source lightweight scan
    dist/assets/CAD-kPXWPEGY-DP66d3Vc.js6.22 MB file, sampled 256 KB
    FilesystemDynamicRequireHighEntropyStringsMinifiedUrlStringsbrep.io
    dist/assets/FeatureRegistry-lXkHxlxk.js5.31 MB file, sampled 256 KB
    ChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org
    dist/assets/PartHistory-Cx5q33QU-tOiqe5Pa.js7.94 MB file, sampled 256 KB
    HighEntropyStringsMinified
    dist/assets/featureDialogs-cUiKJ50f.js3.17 MB file, sampled 256 KB
    ChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org
    dist/assets/main-cad-CafV7k9S.js5.88 MB file, sampled 256 KB
    NetworkHighEntropyStringsUrlStringsapi.github.comwww.w3.org
    dist/assets/rapier-BP7Ta1oP-N5pb81sD.js2.18 MB file, sampled 256 KB
    EvalHighEntropyStringsMinified
    dist-kernel/CAD-kPXWPEGY.js7.90 MB file, sampled 256 KB
    FilesystemDynamicRequireHighEntropyStrings
    dist-kernel/PartHistory-Cx5q33QU.js8.70 MB file, sampled 256 KB
    HighEntropyStrings
    dist-kernel/rapier-BP7Ta1oP.js2.39 MB file, sampled 256 KB
    HighEntropyStrings

    Source & flagged code

    10 flagged · loading source
    dist/assets/manifold-Dae-4w_d-DYgt_kqs.jsView file
    1patternName = aws_access_key severity = critical line = 1 matchedText = var DQ=O...()+`
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/assets/manifold-Dae-4w_d-DYgt_kqs.jsView on unpkg · L1
    1patternName = aws_access_key severity = critical line = 1 matchedText = var DQ=O...()+`
    Critical
    Secret Pattern

    AWS access key ID in dist/assets/manifold-Dae-4w_d-DYgt_kqs.js

    dist/assets/manifold-Dae-4w_d-DYgt_kqs.jsView on unpkg · L1
    dist/assets/vhacd-C8k5e0Pv-DnlmoJET.jsView file
    1var oC=Object.defineProperty;var Q=(G,a)=>oC(G,"name",{value:a,configurable:!0});var DC=Object.defineProperty,C=Q((G,a)=>DC(G,"name",{value:a,configurable:!0}),"C"),rC=(()=>{var G=... L2: "use strict"; return body.apply(this, arguments);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/assets/vhacd-C8k5e0Pv-DnlmoJET.jsView on unpkg · L1
    1var oC=Object.defineProperty;var Q=(G,a)=>oC(G,"name",{value:a,configurable:!0});var DC=Object.defineProperty,C=Q((G,a)=>DC(G,"name",{value:a,configurable:!0}),"C"),rC=(()=>{var G=... L2: "use strict"; return body.apply(this, arguments);
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/assets/vhacd-C8k5e0Pv-DnlmoJET.jsView on unpkg · L1
    dist/assets/rapier_wasm3d_bg-bb0TTxsO.wasmView file
    path = dist/assets/rapier_wasm3d_bg-bb0TTxsO.wasm kind = wasm_module sizeBytes = 1570176 magicHex = [redacted]
    Medium
    Ships Wasm Module

    Package ships WebAssembly modules.

    dist/assets/rapier_wasm3d_bg-bb0TTxsO.wasmView on unpkg
    dist/assets/rapier-BP7Ta1oP-N5pb81sD.jsView file
    path = dist/assets/rapier-BP7Ta1oP-N5pb81sD.js kind = oversized_source_file sizeBytes = 2288928 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/assets/rapier-BP7Ta1oP-N5pb81sD.jsView on unpkg
    dist-kernel/vhacd-C8k5e0Pv.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = brep-io-kernel@1.0.279 matchedIdentity = npm:YnJlcC1pby1rZXJuZWw:1.0.279 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist-kernel/vhacd-C8k5e0Pv.jsView on unpkg
    dist/assets/manifold-DtREh3Um-DYgt_kqs.jsView file
    1patternName = aws_access_key severity = critical line = 1 matchedText = var DQ=O...()+`
    Critical
    Secret Pattern

    AWS access key ID in dist/assets/manifold-DtREh3Um-DYgt_kqs.js

    dist/assets/manifold-DtREh3Um-DYgt_kqs.jsView on unpkg · L1
    dist-kernel/manifold-DtREh3Um.jsView file
    501patternName = aws_access_key severity = critical line = 501 matchedText = return n...ref;
    Critical
    Secret Pattern

    AWS access key ID in dist-kernel/manifold-DtREh3Um.js

    dist-kernel/manifold-DtREh3Um.jsView on unpkg · L501
    dist-kernel/manifold-Dae-4w_d.jsView file
    501patternName = aws_access_key severity = critical line = 501 matchedText = return n...ref;
    Critical
    Secret Pattern

    AWS access key ID in dist-kernel/manifold-Dae-4w_d.js

    dist-kernel/manifold-Dae-4w_d.jsView on unpkg · L501

    Findings

    6 Critical1 High4 Medium8 Low
    CriticalCritical Secretdist/assets/manifold-Dae-4w_d-DYgt_kqs.js
    CriticalPrevious Version Dangerous Deltadist-kernel/vhacd-C8k5e0Pv.js
    CriticalSecret Patterndist/assets/manifold-Dae-4w_d-DYgt_kqs.js
    CriticalSecret Patterndist/assets/manifold-DtREh3Um-DYgt_kqs.js
    CriticalSecret Patterndist-kernel/manifold-DtREh3Um.js
    CriticalSecret Patterndist-kernel/manifold-Dae-4w_d.js
    HighOversized Source Filedist/assets/rapier-BP7Ta1oP-N5pb81sD.js
    MediumDynamic Requiredist/assets/vhacd-C8k5e0Pv-DnlmoJET.js
    MediumNetwork
    MediumShips Wasm Moduledist/assets/rapier_wasm3d_bg-bb0TTxsO.wasm
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvaldist/assets/vhacd-C8k5e0Pv-DnlmoJET.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License