registry  /  cloud-web-corejs  /  1.0.249

cloud-web-corejs@1.0.249

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. The main risk is an obfuscated, user-invoked Excel import component that talks to the host app's configured backend.

Static reason
One or more suspicious static signals were detected.
Trigger
User opens/uses Vue UI components such as excelImport or print/upload widgets
Impact
No confirmed credential harvesting, persistence, destructive action, or exfiltration beyond intended app requests
Mechanism
frontend business UI network calls and local dynamic component loading
Rationale
Static inspection found suspicious obfuscation in a frontend Excel import mixin, but its observed behavior is package-aligned and user-invoked, with no lifecycle hook, persistence, filesystem mutation, foreign agent control-surface writes, or confirmed exfiltration. The static hints appear noisy for this package.
Evidence
package.jsonsrc/components/excelImport/mixins.jssrc/mixins/mobile/wf/index.jssrc/components/xform/utils/sfc-generator.jssrc/components/hiprint/hiprint.bundle.jssrc/components/hiprint/fonts/glyphicons-halflings-regular.woff
Network endpoints7
registry.npmjs.org/localhost:17521meta.pinduoduo.com/api/one/app/v1/lateststable?appId=com.xunmeng.pddprint&platform=windows&subType=mainfile-link.pinduoduo.com/sf_oneobs.cn-south-1.myhuaweicloud.comjsonplaceholder.typicode.com/posts/crm-dev.hisense.com

Decision evidence

public snapshot
AI called this Clean at 78.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/components/excelImport/mixins.js is deliberately obfuscated and performs runtime Excel import/download actions
  • src/components/xform/form-designer/form-widget/field-widget/vabUpload2-widget.vue contains commented example tokens/URLs
Evidence against
  • package.json has no preinstall/install/postinstall/prepare hooks and no bin/main entrypoint
  • No child_process/fs persistence/AI-agent control-surface writes found by source grep
  • src/components/excelImport/mixins.js uses package-aligned Vue/XLSX import flows, getToken, $http, and configured VUE_APP_BASE_API/USER_PREFIX endpoints
  • src/mixins/mobile/wf/index.js dynamic require loads local workflow Vue components only
  • src/components/hiprint/fonts/glyphicons-halflings-regular.woff is a normal WOFF font
  • Network URLs are UI/printing/upload examples or product service endpoints, not confirmed exfiltration
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 258 file(s), 3.73 MB of source, external domains: cainiao-oss-sh-read.oss-cn-shanghai.aliyuncs.com, cdn.bootcss.com, cdn.staticfile.org, cloudprint.cainiao.com, file-link.pinduoduo.com, github.com, hiprint.io, ks3-cn-beijing.ksyun.com, ks3-cn-beijing.ksyuncs.com, lf26-cdn-tos.bytecdntp.com, map.baidu.com, meta.pinduoduo.com, obs.cn-south-1.myhuaweicloud.com, portrait.gitee.com, prod-oms-app-cprt.jdwl.com, vos.vipstatic.com, www.vform666.com, www.w3.org, xhswaybill-printer-1251524319.cos.ap-shanghai.myqcloud.com

Source & flagged code

5 flagged · loading source
src/components/xform/utils/sfc-generator.jsView file
125patternName = generic_password severity = medium line = 125 matchedText = showPass... '',
Medium
Secret Pattern

Package contains a possible secret pattern.

src/components/xform/utils/sfc-generator.jsView on unpkg · L125
src/components/hiprint/hiprint.bundle.jsView file
1296var s = "formatter=" + this.options.formatter; L1297: eval(s); L1298: } catch (t) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/components/hiprint/hiprint.bundle.jsView on unpkg · L1296
src/mixins/mobile/wf/index.jsView file
5getWfObj(path) { L6: return require(`../../../components/mobile/wf${path}`).default; L7: },
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/mixins/mobile/wf/index.jsView on unpkg · L5
src/components/excelImport/mixins.jsView file
16}; L17: function _0x47a6(_0x1e39ba,_0xe90b39){const _0x13ce7f=_0xe90b();_0x47a6=function(_0x4106a1,_0x47a825){_0x4106a1=_0x4106a1-0x0;let _0x44fded=_0x13ce7f[_0x4106a1];if(_0x47a6["\u006f\... L18: export const mixins = tmixins;
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

src/components/excelImport/mixins.jsView on unpkg · L16
src/components/hiprint/fonts/glyphicons-halflings-regular.woffView file
path = [redacted]-halflings-regular.woff kind = high_entropy_blob sizeBytes = 23424 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/components/hiprint/fonts/glyphicons-halflings-regular.woffView on unpkg

Findings

3 High5 Medium5 Low
HighObfuscated Payload Loadersrc/components/excelImport/mixins.js
HighObfuscated
HighShips High Entropy Blobsrc/components/hiprint/fonts/glyphicons-halflings-regular.woff
MediumSecret Patternsrc/components/xform/utils/sfc-generator.js
MediumDynamic Requiresrc/mixins/mobile/wf/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalsrc/components/hiprint/hiprint.bundle.js
LowHigh Entropy Strings
LowUrl Strings
LowNo License