registry  /  md-components-mdigial-azamat  /  0.0.310

md-components-mdigial-azamat@0.0.310

npm version patch npm run build npm publish

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are tied to expected UI features such as formula evaluation, downloads, media upload, and CMS/API fetching.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User renders or interacts with exported React components
Impact
No confirmed unauthorized file access, execution, persistence, or exfiltration
Mechanism
Benign component-library runtime features
Rationale
Static source inspection shows a bundled React component/CMS library with package-aligned browser APIs and no install-time malware, exfiltration, persistence, or destructive behavior. Scanner findings are explainable by benign fonts, bundled editor code, local storage UI settings/tokens, and user-invoked network/download features.
Evidence
package.jsondist/main.jsdist/CustomCalculator/hooks/useCalculator.jsdist/Modules/News/arm/detail-form/NewsBodyRichTextEditor.jsdist/ModuleArm/components/MediaUrlField.jsdist/ModuleBlock/api.jsdist/clientApi-ccb08ba6.jsdist/Actions/downloadFile/downloadFile.jsdist/assets/Inter-Medium.woff2
Network endpoints3
mbank.kg/api/mbank.kg/constructor-api/constructor-api/api

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare hook, but it only runs husky
  • dist/CustomCalculator/hooks/useCalculator.js uses new Function for user-configured formulas
  • dist/ModuleArm/components/MediaUrlField.js reads a bearer token from local/sessionStorage for mbank constructor uploads
Evidence against
  • package.json publishes only dist and has no install/postinstall hook or bin entry
  • dist/main.js is a React component library barrel with static imports/exports
  • No child_process, fs, native addon, shell, destructive, persistence, or credential exfiltration code found
  • Network use is package-aligned: mbank.kg/constructor API, user-supplied download/API URLs, image/social links
  • Trojan-source hits in NewsBodyRichTextEditor.js are benign zero-width/variation characters in bundled ProseMirror/Tiptap code/comments
  • High-entropy blobs are .woff2 font assets only
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 852 file(s), 2.74 MB of source, external domains: api.example.com, api.whatsapp.com, app.mbank.kg, apps.apple.com, cdn-icons-png.flaticon.com, cdn.tailwindcss.com, developer.mozilla.org, example.com, facebook.com, fb.me, github.com, hub.mbank.kg, images.unsplash.com, img.youtube.com, instagram.com, linkedin.com, mbank.kg, murabaha.mbank.kg, picsum.photos, play.google.com, prosemirror.net, s-c.sh, styled-components.com, t.me, upload.wikimedia.org, w3c.github.io, wallpapercave.com, www.google.com, www.styled-components.com, www.w3.org, www.youtube.com

Source & flagged code

3 flagged · loading source
dist/CustomCalculator/hooks/useCalculator.jsView file
204try { L205: t[e.id] = new Function(...n, `return ${e.expression}`); L206: } catch {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/CustomCalculator/hooks/useCalculator.jsView on unpkg · L204
dist/Modules/News/arm/detail-form/NewsBodyRichTextEditor.jsView file
1557contains invisible/control Unicode U+200B (zero width space) Get the _n_<U+200B>th outgoing edge from this node in the finite
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/Modules/News/arm/detail-form/NewsBodyRichTextEditor.jsView on unpkg · L1557
dist/assets/Inter-Medium.woff2View file
path = dist/assets/Inter-Medium.woff2 kind = high_entropy_blob sizeBytes = 108096 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/Inter-Medium.woff2View on unpkg

Findings

1 Critical1 High3 Medium6 Low
CriticalTrojan Source Unicodedist/Modules/News/arm/detail-form/NewsBodyRichTextEditor.js
HighShips High Entropy Blobdist/assets/Inter-Medium.woff2
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/CustomCalculator/hooks/useCalculator.js
LowHigh Entropy Strings
LowUrl Strings
LowNo License