registry  /  feedsweep  /  2.19.0

feedsweep@2.19.0

Tidy up the HTML content in web feeds. Fix feed-specific quirks so content displays in its best possible form.

AI Security Review

scanned 17m ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a feed HTML cleanup library with runtime DOM/string transforms and static embed URL construction.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
importing and calling transformContent or exported transforms; prepare only when installing from source/VCS
Impact
No credential theft, exfiltration, persistence, destructive behavior, or unconsented broad agent control-surface mutation found
Mechanism
HTML/feed DOM normalization and sanitizer-style transforms
Rationale
Static inspection shows package-aligned HTML/feed transformation code and a prepare-only lefthook script, with no install-time attack chain in registry installs and no exfiltration or code execution primitives. The scanner's Trojan Source hint appears to be an intentional zero-width character in a regex character class for permalink marker matching.
Evidence
package.jsondist/index.jsdist/defaults.jsdist/transforms/dom/normalizeAnchoredHeadings.jsdist/embeds/youtube.jsdist/embeds/vimeo.jsdist/embeds/dailymotion.js
Network endpoints9
www.dailymotion.com/embed/video/www.dailymotion.com/video/www.dailymotion.com/thumbnail/video/player.vimeo.com/video/vimeo.com/i.ytimg.com/vi/www.youtube.com/embed/www.youtube.com/watch?v=fast.wistia.net/embed/iframe/

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has a prepare script: lefthook install
Evidence against
  • package.json has no preinstall/install/postinstall scripts and publishes only dist files
  • dist/index.js only composes HTML/feed transforms and exports package functions
  • dist/transforms/dom/normalizeAnchoredHeadings.js rewrites heading anchor DOM nodes; no execution, filesystem, credential, or network behavior
  • Unicode finding is a zero-width character inside permalinkLabelRegex for glyph matching, not bidi control flow hiding
  • rg found no child_process, fs writes, eval/Function, dynamic import/require, credential access, or lifecycle persistence code
  • Network URLs are static embed/thumbnail URLs for YouTube/Vimeo/Dailymotion/Wistia and package docs, aligned with feed HTML transformation
Behavioral surface
Source
ChildProcess
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 81 file(s), 144 KB of source, external domains: fast.wistia.net, i.ytimg.com, player.vimeo.com, vimeo.com, www.dailymotion.com, www.youtube.com

Source & flagged code

2 flagged · loading source
dist/transforms/dom/normalizeAnchoredHeadings.jsView file
19contains invisible/control Unicode U+200B (zero width space) const permalinkLabelRegex = /^[#¶§❡\u{1f517}<U+200B>]+$/u;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/transforms/dom/normalizeAnchoredHeadings.jsView on unpkg · L19
Trigger-reachable chain: manifest.exports -> dist/index.js -> [redacted].js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/transforms/dom/normalizeAnchoredHeadings.jsView on unpkg

Findings

2 Critical1 Medium3 Low
CriticalTrojan Source Unicodedist/transforms/dom/normalizeAnchoredHeadings.js
CriticalTrigger Reachable Dangerous Capabilitydist/transforms/dom/normalizeAnchoredHeadings.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings