AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are tied to expected UI features such as formula evaluation, downloads, media upload, and CMS/API fetching.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User renders or interacts with exported React components
Impact
No confirmed unauthorized file access, execution, persistence, or exfiltration
Mechanism
Benign component-library runtime features
Rationale
Static source inspection shows a bundled React component/CMS library with package-aligned browser APIs and no install-time malware, exfiltration, persistence, or destructive behavior. Scanner findings are explainable by benign fonts, bundled editor code, local storage UI settings/tokens, and user-invoked network/download features.
Evidence
package.jsondist/main.jsdist/CustomCalculator/hooks/useCalculator.jsdist/Modules/News/arm/detail-form/NewsBodyRichTextEditor.jsdist/ModuleArm/components/MediaUrlField.jsdist/ModuleBlock/api.jsdist/clientApi-ccb08ba6.jsdist/Actions/downloadFile/downloadFile.jsdist/assets/Inter-Medium.woff2
Network endpoints3
mbank.kg/api/mbank.kg/constructor-api/constructor-api/api
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has prepare hook, but it only runs husky
- dist/CustomCalculator/hooks/useCalculator.js uses new Function for user-configured formulas
- dist/ModuleArm/components/MediaUrlField.js reads a bearer token from local/sessionStorage for mbank constructor uploads
Evidence against
- package.json publishes only dist and has no install/postinstall hook or bin entry
- dist/main.js is a React component library barrel with static imports/exports
- No child_process, fs, native addon, shell, destructive, persistence, or credential exfiltration code found
- Network use is package-aligned: mbank.kg/constructor API, user-supplied download/API URLs, image/social links
- Trojan-source hits in NewsBodyRichTextEditor.js are benign zero-width/variation characters in bundled ProseMirror/Tiptap code/comments
- High-entropy blobs are .woff2 font assets only
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/CustomCalculator/hooks/useCalculator.jsView file
204try {
L205: t[e.id] = new Function(...n, `return ${e.expression}`);
L206: } catch {
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/CustomCalculator/hooks/useCalculator.jsView on unpkg · L204dist/Modules/News/arm/detail-form/NewsBodyRichTextEditor.jsView file
1557contains invisible/control Unicode U+200B (zero width space)
Get the _n_<U+200B>th outgoing edge from this node in the finite
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/Modules/News/arm/detail-form/NewsBodyRichTextEditor.jsView on unpkg · L1557dist/assets/Inter-Medium.woff2View file
•path = dist/assets/Inter-Medium.woff2
kind = high_entropy_blob
sizeBytes = 108096
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/assets/Inter-Medium.woff2View on unpkgFindings
1 Critical1 High3 Medium6 Low
CriticalTrojan Source Unicodedist/Modules/News/arm/detail-form/NewsBodyRichTextEditor.js
HighShips High Entropy Blobdist/assets/Inter-Medium.woff2
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/CustomCalculator/hooks/useCalculator.js
LowHigh Entropy Strings
LowUrl Strings
LowNo License