AI Security Review
scanned 17h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a Next.js internationalization library with runtime/build-time config helpers and optional translation cache network access under application configuration.
Static reason
One or more suspicious static signals were detected.
Trigger
Application imports gt-next APIs or calls withGTConfig in Next.js config.
Impact
Expected package behavior; may read GT_* environment variables and fetch configured translation cache data when enabled.
Mechanism
Next.js i18n configuration, locale resolution, and translation loading
Rationale
Static source inspection found package-aligned Next.js i18n behavior, with config-file reads, environment variable reads, and optional translation cache fetches but no install-time execution or unconsented mutation/exfiltration. Scanner dynamic-require and network findings map to documented locale/request hook resolution and translation loading rather than malware.
Evidence
package.jsondist/index.server.jsdist/client.jsdist/server.jsdist/config.jsdist/config-dir/loadTranslation.jsdist/request/utils/getRequestFunction.jsdist/request/utils/legacyGetRequestFunction.jsgt.config.json.gt/gt.config.json.locadex/gt.config.jsondictionary/loadDictionary/loadTranslations/request function paths when configured by the app
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks or bin entrypoints.
- dist/index.server.js and dist/client.js primarily re-export gt-next/gt-react/server APIs.
- dist/config.js reads gt.config/env and returns a Next.js config object; it does not write files or mutate agent control surfaces.
- dist/config-dir/loadTranslation.js performs user-configured runtime translation cache fetches only when gt-next config enables remote translations.
- Dynamic require paths in dist/request/utils/*.js resolve package/user-configured gt-next request hooks for locale/region/domain handling.
- No child_process, eval, persistence, credential harvesting, destructive actions, or exfiltration behavior found.
Behavioral surface
DynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/client.jsView file
2Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
L3: require("./_virtual/_rolldown/runtime.js");
L4: let gt_react_client = require("gt-react/client");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/client.jsView on unpkg · L2dist/config.jsView file
309package = gt-next; repositoryIdentity = gt; dependency = @generaltranslation/compiler
L309: if (mergedConfig.experimentalCompilerOptions?.type === "babel") try {
L310: const { webpack: gtUnplugin } = require("@generaltranslation/compiler");
L311: webpackConfig.plugins.unshift(gtUnplugin(mergedConfig.experimentalCompilerOptions || {}));
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/config.jsView on unpkg · L309Findings
1 High4 Medium4 Low
HighCopied Package Dependency Bridgedist/config.js
MediumDynamic Requiredist/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings