registry  /  rebill  /  1.17.26

rebill@1.17.26

Stencil Component Starter

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network activity is payment-SDK functionality activated by an embedding application, with no install-time execution or host mutation.

Static reason
No blocking static signals were detected.
Trigger
Host application imports and initializes Rebill checkout components.
Impact
Processes checkout-related user input only through configured Rebill service endpoints; no package-host persistence, credential harvesting, or remote code execution is established.
Mechanism
Browser payment-session API and checkout iframe requests.
Rationale
Static source inspection shows a browser checkout SDK with configured Rebill payment endpoints and no concrete malicious chain. The prepare hook is development Husky setup, and its referenced scripts are not shipped.
Evidence
package.jsonloader/index.cjs.jsdist/index.cjs.jsdist/esm/config-02SQUsaC.jsdist/components/rebill-checkout.jsdist/components/p-DeU4V6ve.jsdist/components/p-DEbLk_Ax.jsdist/components/p-GK75wIKe.js
Network endpoints4
api.rebill.com/v3api.rebill.dev/v3sdk-iframe.rebill.to/v3-1/index.htmlsdk-iframe.rebill.dev/v3-1/index.html

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, or postinstall hook; its only lifecycle hook is prepare: husky install.
    • Published entrypoints in loader/index.cjs.js and dist/index.cjs.js only load bundled SDK modules.
    • dist/esm/config-02SQUsaC.js configures a payment SDK API and iframe hosts, not arbitrary remote payloads.
    • Source searches found no Node filesystem, child_process, credential-path, or AI-agent control-surface access.
    • No shipped scripts/ directory exists for the manifest's development-oriented prepare command.
    • The flagged bundled chunk is a browser Lottie dependency; no confirmed malicious eval execution was found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 524 file(s), 17.2 MB of source, external domains: api.rebill.com, api.rebill.dev, bugs.chromium.org, bugs.webkit.org, cdnjs.cloudflare.com, chat.stenciljs.com, css-tricks.com, developer.chrome.com, developer.mozilla.org, docs.stripe.com, ecma-international.org, eev.ee, ejohn.org, en.wikipedia.org, es5.github.io, flattr.com, github.com, html.spec.whatwg.org, js.stripe.com, jspdf.default.namespaceuri, lodash.com, mathiasbynens.be, mdn.io, mths.be, npms.io, openjsf.org, opensource.org, pastebin.com, peter.michaux.ca, sdk-iframe.rebill.dev, sdk-iframe.rebill.to, stackoverflow.com, stenciljs.com, tc39.es, underscorejs.org, unpkg.com, v3.docs.rebill.com, webpjs.appspot.com, wonko.com, www.ecma-international.org, www.google.com, www.html5rocks.com, www.i18next.com, www.npmjs.com, www.pagofacil.com.ar, www.phpied.com, www.quasimondo.com, www.rebill.com, www.w3.org

    Source & flagged code

    1 flagged · loading source
    dist/rebill/p-GK75wIKe.jsView file
    8License: MIT, header required. L9: */var Matrix=function(){var t=Math.cos;var i=Math.sin;var e=Math.tan;var r=Math.round;function s(){this.props[0]=1;this.props[1]=0;this.props[2]=0;this.props[3]=0;this.props[4]=0;t... L10: //# sourceMappingURL=p-GK75wIKe.js.map
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/rebill/p-GK75wIKe.jsView on unpkg · L8

    Findings

    4 Medium8 Low
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/rebill/p-GK75wIKe.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings