registry  /  lumenedit  /  1.5.0

lumenedit@1.5.0

Lumen — embeddable code editor, GitHub sync engine, local history and smart preloading as a reusable library

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime networking implements the documented GitHub editor/sync workflow and explicit code-run feature in a browser context.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer explicitly calls GitHub/sync APIs or invokes the editor's run-code feature.
Impact
May read/write the caller-selected GitHub repository or submit caller-provided code to Wandbox; no stealthy execution, host mutation, or credential exfiltration chain was found.
Mechanism
User-directed browser GitHub synchronization and remote code compilation.
Rationale
The scanner findings map to legitimate bundled browser-editor functionality: static parser imports, documented GitHub synchronization, and an explicit remote code-run button. Source inspection found no install-time mutation, hidden payload, credential harvesting, broad agent-control writes, or unrelated network destination.
Evidence
package.jsondist-lib/index.jsdist-lib/github.jsdist-lib/sync.jsdist-lib/preload.jsdist-lib/editor-B58EoYUJ.js
Network endpoints2
api.github.comwandbox.org/api/compile.json

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `dist-lib/github.js` can write user-selected repository files via GitHub API when `commitFile` is called.
  • `dist-lib/editor-B58EoYUJ.js` posts user-provided code to Wandbox only through exported `runCode` behavior.
Evidence against
  • `package.json` has only a `prepare` build script; no preinstall/install/postinstall hook or executable.
  • `dist-lib/index.js` only re-exports browser editor, GitHub sync, storage, and preload modules.
  • GitHub requests target only `https://api.github.com` and use the caller-supplied token/repository reference.
  • `dist-lib/sync.js` persists and replays only transactions explicitly enqueued through `SyncEngine`.
  • The eight flagged Unicode controls are a CodeMirror regex character class at `dist-lib/editor-B58EoYUJ.js:9183`, not hidden executable logic.
  • Dynamic imports are static relative language-parser chunks; no Node child-process, eval, VM, or environment harvesting was found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 126 file(s), 2.15 MB of source, external domains: api.github.com, github.com, sqlite.org, www.espertech.com, www.postgresql.org, www.sqlite.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist-lib/editor-B58EoYUJ.jsView file
9183contains invisible/control Unicode U+200B (zero width space) --Ÿ­؜<U+200B><U+200E><U+200F>\u2028\u2029<U+202D><U+202E><U+2066><U+2067><U+2069>\uFEFF-]`, Qr), k2 = {
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist-lib/editor-B58EoYUJ.jsView on unpkg · L9183
Trigger-reachable chain: manifest.exports -> dist-lib/editor.js -> dist-lib/editor-B58EoYUJ.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist-lib/editor-B58EoYUJ.jsView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist-lib/editor-B58EoYUJ.js
CriticalTrigger Reachable Dangerous Capabilitydist-lib/editor-B58EoYUJ.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings