AI Security Review
scanned 2h ago · by lpm-firewall-aiNo concrete malicious payload or credential-exfiltration path is established. The only lifecycle behavior is a prepare-time Husky command, which is VCS-hook setup rather than an npm install payload.
Static reason
No blocking static signals were detected.
Trigger
npm lifecycle execution of `prepare`; normal runtime use of checkout components.
Impact
Potential VCS-hook configuration during prepare; runtime requests support the package's checkout flows.
Mechanism
Prepare-time Husky setup and browser payment SDK API requests.
Rationale
Source inspection found package-aligned checkout networking and a bundled Lottie eval pattern, not malware. Downgrade to warn solely for the prepare-time Husky lifecycle hook setup.
Evidence
package.jsondist/index.cjs.jsdist/cjs/config-CqNE4L0z.jsdist/collection/api/client.jsdist/cjs/lottie-NxKK9TIf.jsloader/index.cjs.jsdist/cjs/cdn-xyOQZA0_.jsdist/cjs/assets-lacLS4dN.js
Network endpoints5
api.rebill.com/v3api.rebill.dev/v3sdk-iframe.rebill.to/v3-1/index.htmlsdk-iframe.rebill.dev/v3-1/index.htmlunpkg.com/rebill
Decision evidence
public snapshotAI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json declares lifecycle `prepare: husky install`.
- `prepare` can configure VCS hooks when lifecycle execution is enabled.
Evidence against
- No `preinstall`, `install`, or `postinstall` hook in package.json.
- Package contains no `.husky` directory or executable files.
- Entrypoints only load bundled Web Components code.
- dist/cjs/config-CqNE4L0z.js uses declared Rebill payment API endpoints.
- The flagged eval is inside bundled Lottie expression handling in dist/cjs/lottie-NxKK9TIf.js.
- No package references to credential paths, agent-control files, child_process, or filesystem writes were found.
Behavioral surface
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/rebill/p-GK75wIKe.jsView file
8License: MIT, header required.
L9: */var Matrix=function(){var t=Math.cos;var i=Math.sin;var e=Math.tan;var r=Math.round;function s(){this.props[0]=1;this.props[1]=0;this.props[2]=0;this.props[3]=0;this.props[4]=0;t...
L10: //# sourceMappingURL=p-GK75wIKe.js.map
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/rebill/p-GK75wIKe.jsView on unpkg · L8Findings
4 Medium8 Low
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/rebill/p-GK75wIKe.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings