registry  /  cloud-web-corejs  /  1.0.250

cloud-web-corejs@1.0.250

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are browser-side Vue application features for importing/exporting files, printing, routing, and app API calls.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports spreadsheets, uses print/upload/UI workflow components, or runs the Vue app.
Impact
No install-time execution, persistence, credential exfiltration, or destructive behavior identified.
Mechanism
package-aligned frontend components and app API calls
Rationale
Static inspection shows a Vue component library/application package with obfuscated but package-aligned import logic and bundled UI code, not an install-time or import-time payload. Network and token use route through the host app's configured API base or documented print/upload services, with no concrete exfiltration or persistence behavior found.
Evidence
package.jsonsrc/components/excelImport/mixins.jssrc/components/hiprint/hiprint.bundle.jssrc/utils/request.jssrc/utils/auth.jssrc/mixins/mobile/wf/index.jssrc/components/wf/wfUtil.jssrc/store/modules/permission.js

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/components/excelImport/mixins.js is heavily obfuscated and posts imported spreadsheet rows via this.$http to configured app endpoints.
  • src/components/hiprint/hiprint.bundle.js contains eval/new Function patterns in bundled print/designer code.
Evidence against
  • package.json has no preinstall/install/postinstall/prepare hooks and no bin/main entrypoint.
  • src/utils/request.js sends requests to process.env.VUE_APP_BASE_API with the app token for normal Vue API calls.
  • src/mixins/mobile/wf/index.js and src/components/wf/wfUtil.js use dynamic require only for local Vue workflow components.
  • src/utils/auth.js stores and reads the app token from sessionStorage; no credential harvesting or external exfiltration found.
  • No child_process, filesystem writes, persistence hooks, AI-agent control-surface writes, or lifecycle mutation found in inspected sources.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 258 file(s), 3.73 MB of source, external domains: cainiao-oss-sh-read.oss-cn-shanghai.aliyuncs.com, cdn.bootcss.com, cdn.staticfile.org, cloudprint.cainiao.com, file-link.pinduoduo.com, github.com, hiprint.io, ks3-cn-beijing.ksyun.com, ks3-cn-beijing.ksyuncs.com, lf26-cdn-tos.bytecdntp.com, map.baidu.com, meta.pinduoduo.com, obs.cn-south-1.myhuaweicloud.com, portrait.gitee.com, prod-oms-app-cprt.jdwl.com, vos.vipstatic.com, www.vform666.com, www.w3.org, xhswaybill-printer-1251524319.cos.ap-shanghai.myqcloud.com

Source & flagged code

5 flagged · loading source
src/components/xform/utils/sfc-generator.jsView file
125patternName = generic_password severity = medium line = 125 matchedText = showPass... '',
Medium
Secret Pattern

Package contains a possible secret pattern.

src/components/xform/utils/sfc-generator.jsView on unpkg · L125
src/components/hiprint/hiprint.bundle.jsView file
1296var s = "formatter=" + this.options.formatter; L1297: eval(s); L1298: } catch (t) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/components/hiprint/hiprint.bundle.jsView on unpkg · L1296
src/mixins/mobile/wf/index.jsView file
5getWfObj(path) { L6: return require(`../../../components/mobile/wf${path}`).default; L7: },
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/mixins/mobile/wf/index.jsView on unpkg · L5
src/components/excelImport/mixins.jsView file
16}; L17: function _0x47a6(_0x1e39ba,_0xe90b39){const _0x13ce7f=_0xe90b();_0x47a6=function(_0x4106a1,_0x47a825){_0x4106a1=_0x4106a1-0x0;let _0x44fded=_0x13ce7f[_0x4106a1];if(_0x47a6["\u006f\... L18: export const mixins = tmixins;
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

src/components/excelImport/mixins.jsView on unpkg · L16
src/components/hiprint/fonts/glyphicons-halflings-regular.woffView file
path = [redacted]-halflings-regular.woff kind = high_entropy_blob sizeBytes = 23424 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/components/hiprint/fonts/glyphicons-halflings-regular.woffView on unpkg

Findings

3 High5 Medium5 Low
HighObfuscated Payload Loadersrc/components/excelImport/mixins.js
HighObfuscated
HighShips High Entropy Blobsrc/components/hiprint/fonts/glyphicons-halflings-regular.woff
MediumSecret Patternsrc/components/xform/utils/sfc-generator.js
MediumDynamic Requiresrc/mixins/mobile/wf/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalsrc/components/hiprint/hiprint.bundle.js
LowHigh Entropy Strings
LowUrl Strings
LowNo License