registry  /  lumenedit  /  1.4.0

lumenedit@1.4.0

Lumen — embeddable code editor, GitHub sync engine, local history and smart preloading as a reusable library

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Network-capable functions are exported browser features activated with caller-supplied repository credentials or source code, rather than import-time behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer explicitly invokes GitHub sync/commit APIs or `runCode` with supplied inputs.
Impact
Can write to the repository authorized by the caller's token or submit caller-provided code to Wandbox; no passive exfiltration or install-time mutation found.
Mechanism
User-directed GitHub repository operations and remote code compilation.
Rationale
The scanner findings map to legitimate browser editor capabilities: fixed local language imports, GitHub syncing, and an explicit remote compiler action. Source inspection found no concrete malicious chain or automatic install/import-time attack behavior.
Evidence
package.jsondist-lib/index.jsdist-lib/editor.jsdist-lib/github.jsdist-lib/sync.jsdist-lib/preload.jsdist-lib/editor-B0kRnzul.js
Network endpoints2
api.github.comwandbox.org/api/compile.json

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` has a `prepare` build hook, not preinstall/install/postinstall.
  • `dist-lib/github.js` can PUT content to a caller-specified GitHub repository.
  • `dist-lib/editor-B0kRnzul.js` can POST caller-provided code to Wandbox.
Evidence against
  • `dist-lib/index.js` only re-exports browser editor, GitHub, sync, and preload APIs.
  • `dist-lib/github.js` sends an Authorization token only to `https://api.github.com` for explicit repository operations.
  • `dist-lib/editor-B0kRnzul.js` dynamic imports are fixed local language-support chunks.
  • `dist-lib/sync.js` uses IndexedDB for local sync state; `preload.js` uses localStorage for editor prediction data.
  • The reported invisible Unicode is part of a RegExp that detects control/invisible characters.
  • No child-process, eval, environment harvesting, foreign agent-config mutation, binary loading, or stealth persistence was found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 126 file(s), 2.12 MB of source, external domains: api.github.com, github.com, sqlite.org, www.espertech.com, www.postgresql.org, www.sqlite.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist-lib/editor-B0kRnzul.jsView file
9183contains invisible/control Unicode U+200B (zero width space) --Ÿ­؜<U+200B><U+200E><U+200F>\u2028\u2029<U+202D><U+202E><U+2066><U+2067><U+2069>\uFEFF-]`, Qr), xp = {
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist-lib/editor-B0kRnzul.jsView on unpkg · L9183
Trigger-reachable chain: manifest.exports -> dist-lib/editor.js -> dist-lib/editor-B0kRnzul.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist-lib/editor-B0kRnzul.jsView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist-lib/editor-B0kRnzul.js
CriticalTrigger Reachable Dangerous Capabilitydist-lib/editor-B0kRnzul.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings