registry  /  cas-ds-web-components  /  1.3.25

cas-ds-web-components@1.3.25

Web Components based on CAS DS

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a bundled browser web-components library with import/runtime UI behavior and package-aligned API calls.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Browser import or use of the custom elements.
Impact
Expected UI data retrieval and rendering; no source evidence of exfiltration, install-time mutation, or remote code execution.
Mechanism
Web component rendering, font loading, icon loading, and Clinica Alemana API fetches.
Rationale
Static inspection found bundled Lit/Vaadin/md5/browser component code with expected UI network calls and no install-time execution, credential access, filesystem mutation, or malicious control-surface writes. Scanner hits map to benign framework code, remote SVG/icon loading, and package-aligned Clinica Alemana APIs.
Evidence
package.jsonREADME.mdbuild/cas-ds-web-components.mjsbuild/cas-ds-web-components.jsbuild/cas-snackbar.jsbuild/cas-utils.mjsbuild/cas-utils.js
Network endpoints5
fonts.googleapis.com/css2?family=Rubik:ital,wght@0,300..900;1,300..900&display=swapwww.clinicaalemana.cl/restapi/search/suggestionsportal-backend.clinicaalemana.cl/profs-med/profile-by-ppnportal-backend.clinicaalemana.cl/profs-med/get-by-areaagenda.clinicaalemana.cl/profesional/

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Import-time browser code appends a Google Fonts stylesheet link in build/cas-ds-web-components.mjs.
  • Runtime components fetch Clinica Alemana search/professional APIs when used.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and only a publish script.
  • new Function is Vaadin development-mode detector code, gated to localhost/development mode.
  • Remote SVG fetch parses icon markup into DOM/lit SVG, not decoded code execution.
  • No child_process, fs writes, credential harvesting, persistence, or AI-agent config mutation found.
  • Network hosts are UI/product-aligned for fonts and Clinica Alemana component data.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 343 file(s), 6.89 MB of source, external domains: agenda.clinicaalemana.cl, centrodeayuda.clinicaalemana.cl, d51h1y0hva8v.cloudfront.net, developer.mozilla.org, eloisa-ds.vercel.app, exameneslab.alemana.cl, fonts.googleapis.com, github.com, jedwatson.github.io, m.alemana.cl, miclave.clinicaalemana.cl, momentjs.com, odontologia.alemana.cl, open.spotify.com, pagos.clinicaalemana.cl, polymer.github.io, portal-backend.clinicaalemana.cl, reserva.alemana.cl, reserva.clinicaalemana.cl, simulador.clinicaalemana.cl, t.me, teledermatologia.clinicaalemana.cl, twitter.com, vaadin.com, wa.me, www.alemana.cl, www.alemanaseguros.cl, www.clinicaalemana.cl, www.facebook.com, www.instagram.com, www.linkedin.com, www.suseso.cl, www.w3.org, www.webpay.cl, www.youtube.com
Oversized source lightweight scan
build/cas-ds-web-components.js8.27 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsagenda.clinicaalemana.clfonts.googleapis.comjedwatson.github.ioreserva.alemana.clreserva.clinicaalemana.clteledermatologia.clinicaalemana.clvaadin.comwww.clinicaalemana.clwww.w3.org
build/cas-icon.js6.87 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringswww.w3.org
build/icons/flat/gears.mjs2.17 MB file, sampled 256 KB
MinifiedUrlStringswww.w3.org
build/icons/flat/senior-couple.mjs2.21 MB file, sampled 256 KB
UrlStringswww.w3.org

Source & flagged code

5 flagged · loading source
build/cas-ds-web-components.mjsView file
10const font2 = document.createElement("link"); L11: font2.setAttribute("href", "https://fonts.googleapis.com/css2?family=Rubik:ital,wght@0,300..900;1,300..900&display=swap"); L12: font2.setAttribute("rel", "stylesheet"); ... L27: typings, L28: "private": true L29: }; ... L2276: handleParameter() { L2277: const urlParams = new URLSearchParams(window.location.search); L2278: const rsv = urlParams.get("rsv"); ... L4330: try { L4331: outValue = JSON.parse( L4332: /** @type {string} */
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

build/cas-ds-web-components.mjsView on unpkg · L10
8171try { L8172: callback = new Function(match[1]); L8173: } catch (e5) {
High
Eval

Package source references dynamic code evaluation.

build/cas-ds-web-components.mjsView on unpkg · L8171
10const font2 = document.createElement("link"); L11: font2.setAttribute("href", "https://fonts.googleapis.com/css2?family=Rubik:ital,wght@0,300..900;1,300..900&display=swap"); L12: font2.setAttribute("rel", "stylesheet"); ... L27: typings, L28: "private": true L29: }; ... L2276: handleParameter() { L2277: const urlParams = new URLSearchParams(window.location.search); L2278: const rsv = urlParams.get("rsv"); ... L4330: try { L4331: outValue = JSON.parse( L4332: /** @type {string} */
Low
Weak Crypto

Package source references weak cryptographic algorithms.

build/cas-ds-web-components.mjsView on unpkg · L10
build/cas-snackbar.jsView file
1(function(b,p){typeof exports=="object"&&typeof module<"u"?p(exports,require("@eloisa-ds/base-styles")):typeof define=="function"&&define.amd?define(["exports","@eloisa-ds/base-sty... L2: * @license
Medium
Dynamic Require

Package source references dynamic require/import behavior.

build/cas-snackbar.jsView on unpkg · L1
build/cas-ds-web-components.jsView file
path = build/cas-ds-web-components.js kind = oversized_source_file sizeBytes = 8667499 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

build/cas-ds-web-components.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalRemote Asset Decode Executebuild/cas-ds-web-components.mjs
HighChild Process
HighEvalbuild/cas-ds-web-components.mjs
HighOversized Source Filebuild/cas-ds-web-components.js
MediumDynamic Requirebuild/cas-snackbar.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptobuild/cas-ds-web-components.mjs
LowHigh Entropy Strings
LowUrl Strings
LowNo License