registry  /  cloud-web-corejs  /  1.0.248

cloud-web-corejs@1.0.248

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malware behavior was found, but the package has unresolved risk from obfuscated runtime code and embedded cloud storage credentials. Activation is through the Vue app importing and registering the package components.

Static reason
One or more suspicious static signals were detected.
Trigger
Application imports src/index.js or invokes ExcelImport/OBS upload components
Impact
Potential credential exposure and hard-to-audit runtime network behavior; no confirmed exfiltration or install-time compromise
Mechanism
obfuscated Vue component logic plus hardcoded OBS credentials
Attack narrative
On normal npm install there is no lifecycle execution. When the consuming Vue app imports src/index.js, it registers ExcelImport, whose obfuscated files add import/download behavior and post spreadsheet rows to configured backend URLs. OBS upload code ships default cloud credentials and endpoint values. These are serious review risks, but inspection did not show package install compromise, foreign persistence, credential harvesting from the host, or exfiltration to an attacker-controlled endpoint.
Rationale
Static source inspection supports a warning for obfuscated runtime application code and exposed cloud credentials, but not a publish block because there is no install-time execution or concrete malicious exfiltration/persistence path. The suspicious primitives are mainly user/app-invoked Vue import/upload/form scripting features.
Evidence
package.jsonsrc/index.jssrc/components/excelImport/index.jssrc/components/excelImport/mixins.jssrc/components/obsUpload/mixins.jssrc/utils/request.jssrc/utils/auth.js
Network endpoints2
obs.cn-south-1.myhuaweicloud.comprocess.env.VUE_APP_BASE_API

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • src/components/excelImport/index.js and mixins.js are heavily obfuscated and imported by src/index.js during app bootstrap
  • src/components/excelImport/mixins.js performs runtime $http POSTs to configured import endpoints with parsed spreadsheet data
  • src/components/obsUpload/mixins.js contains hardcoded Huawei OBS access_key_id/secret_access_key/server/Bucket defaults
  • src/components/xform uses many user-configured new Function/eval hooks for form scripts and rendering
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks, bin, main, or module entry
  • No child_process, shell execution, native binary loading, persistence, or AI-agent control-surface writes found
  • Network use is app-aligned: axios/$http to process.env.VUE_APP_BASE_API or configured upload/import endpoints
  • Obfuscated excel import code appears to implement UI import/download workflow, not credential harvesting or external exfiltration
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 258 file(s), 3.73 MB of source, external domains: cainiao-oss-sh-read.oss-cn-shanghai.aliyuncs.com, cdn.bootcss.com, cdn.staticfile.org, cloudprint.cainiao.com, file-link.pinduoduo.com, github.com, hiprint.io, ks3-cn-beijing.ksyun.com, ks3-cn-beijing.ksyuncs.com, lf26-cdn-tos.bytecdntp.com, map.baidu.com, meta.pinduoduo.com, obs.cn-south-1.myhuaweicloud.com, portrait.gitee.com, prod-oms-app-cprt.jdwl.com, vos.vipstatic.com, www.vform666.com, www.w3.org, xhswaybill-printer-1251524319.cos.ap-shanghai.myqcloud.com

Source & flagged code

5 flagged · loading source
src/components/xform/utils/sfc-generator.jsView file
125patternName = generic_password severity = medium line = 125 matchedText = showPass... '',
Medium
Secret Pattern

Package contains a possible secret pattern.

src/components/xform/utils/sfc-generator.jsView on unpkg · L125
src/components/hiprint/hiprint.bundle.jsView file
1296var s = "formatter=" + this.options.formatter; L1297: eval(s); L1298: } catch (t) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/components/hiprint/hiprint.bundle.jsView on unpkg · L1296
src/mixins/mobile/wf/index.jsView file
5getWfObj(path) { L6: return require(`../../../components/mobile/wf${path}`).default; L7: },
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/mixins/mobile/wf/index.jsView on unpkg · L5
src/components/excelImport/mixins.jsView file
16}; L17: function _0x47a6(_0x1e39ba,_0xe90b39){const _0x13ce7f=_0xe90b();_0x47a6=function(_0x4106a1,_0x47a825){_0x4106a1=_0x4106a1-0x0;let _0x44fded=_0x13ce7f[_0x4106a1];if(_0x47a6["\u006f\... L18: export const mixins = tmixins;
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

src/components/excelImport/mixins.jsView on unpkg · L16
src/components/hiprint/fonts/glyphicons-halflings-regular.woffView file
path = [redacted]-halflings-regular.woff kind = high_entropy_blob sizeBytes = 23424 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/components/hiprint/fonts/glyphicons-halflings-regular.woffView on unpkg

Findings

3 High5 Medium5 Low
HighObfuscated Payload Loadersrc/components/excelImport/mixins.js
HighObfuscated
HighShips High Entropy Blobsrc/components/hiprint/fonts/glyphicons-halflings-regular.woff
MediumSecret Patternsrc/components/xform/utils/sfc-generator.js
MediumDynamic Requiresrc/mixins/mobile/wf/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalsrc/components/hiprint/hiprint.bundle.js
LowHigh Entropy Strings
LowUrl Strings
LowNo License