AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malware behavior was found, but the package has unresolved risk from obfuscated runtime code and embedded cloud storage credentials. Activation is through the Vue app importing and registering the package components.
Decision evidence
public snapshot- src/components/excelImport/index.js and mixins.js are heavily obfuscated and imported by src/index.js during app bootstrap
- src/components/excelImport/mixins.js performs runtime $http POSTs to configured import endpoints with parsed spreadsheet data
- src/components/obsUpload/mixins.js contains hardcoded Huawei OBS access_key_id/secret_access_key/server/Bucket defaults
- src/components/xform uses many user-configured new Function/eval hooks for form scripts and rendering
- package.json has no preinstall/install/postinstall lifecycle hooks, bin, main, or module entry
- No child_process, shell execution, native binary loading, persistence, or AI-agent control-surface writes found
- Network use is app-aligned: axios/$http to process.env.VUE_APP_BASE_API or configured upload/import endpoints
- Obfuscated excel import code appears to implement UI import/download workflow, not credential harvesting or external exfiltration
Source & flagged code
5 flagged · loading sourcePackage contains a possible secret pattern.
src/components/xform/utils/sfc-generator.jsView on unpkg · L125Package source references a known benign dynamic code generation pattern.
src/components/hiprint/hiprint.bundle.jsView on unpkg · L1296Package source references dynamic require/import behavior.
src/mixins/mobile/wf/index.jsView on unpkg · L5Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
src/components/excelImport/mixins.jsView on unpkg · L16Package ships high-entropy non-source blobs.
src/components/hiprint/fonts/glyphicons-halflings-regular.woffView on unpkg