registry  /  rebill  /  1.17.27

rebill@1.17.27

Stencil Component Starter

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No concrete malicious payload or credential-exfiltration path is established. The only lifecycle behavior is a prepare-time Husky command, which is VCS-hook setup rather than an npm install payload.

Static reason
No blocking static signals were detected.
Trigger
npm lifecycle execution of `prepare`; normal runtime use of checkout components.
Impact
Potential VCS-hook configuration during prepare; runtime requests support the package's checkout flows.
Mechanism
Prepare-time Husky setup and browser payment SDK API requests.
Rationale
Source inspection found package-aligned checkout networking and a bundled Lottie eval pattern, not malware. Downgrade to warn solely for the prepare-time Husky lifecycle hook setup.
Evidence
package.jsondist/index.cjs.jsdist/cjs/config-CqNE4L0z.jsdist/collection/api/client.jsdist/cjs/lottie-NxKK9TIf.jsloader/index.cjs.jsdist/cjs/cdn-xyOQZA0_.jsdist/cjs/assets-lacLS4dN.js
Network endpoints5
api.rebill.com/v3api.rebill.dev/v3sdk-iframe.rebill.to/v3-1/index.htmlsdk-iframe.rebill.dev/v3-1/index.htmlunpkg.com/rebill

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json declares lifecycle `prepare: husky install`.
  • `prepare` can configure VCS hooks when lifecycle execution is enabled.
Evidence against
  • No `preinstall`, `install`, or `postinstall` hook in package.json.
  • Package contains no `.husky` directory or executable files.
  • Entrypoints only load bundled Web Components code.
  • dist/cjs/config-CqNE4L0z.js uses declared Rebill payment API endpoints.
  • The flagged eval is inside bundled Lottie expression handling in dist/cjs/lottie-NxKK9TIf.js.
  • No package references to credential paths, agent-control files, child_process, or filesystem writes were found.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 524 file(s), 17.2 MB of source, external domains: api.rebill.com, api.rebill.dev, bugs.chromium.org, bugs.webkit.org, cdnjs.cloudflare.com, chat.stenciljs.com, css-tricks.com, developer.chrome.com, developer.mozilla.org, docs.stripe.com, ecma-international.org, eev.ee, ejohn.org, en.wikipedia.org, es5.github.io, flattr.com, github.com, html.spec.whatwg.org, js.stripe.com, jspdf.default.namespaceuri, lodash.com, mathiasbynens.be, mdn.io, mths.be, npms.io, openjsf.org, opensource.org, pastebin.com, peter.michaux.ca, sdk-iframe.rebill.dev, sdk-iframe.rebill.to, stackoverflow.com, stenciljs.com, tc39.es, underscorejs.org, unpkg.com, v3.docs.rebill.com, webpjs.appspot.com, wonko.com, www.ecma-international.org, www.google.com, www.html5rocks.com, www.i18next.com, www.npmjs.com, www.pagofacil.com.ar, www.phpied.com, www.quasimondo.com, www.rebill.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/rebill/p-GK75wIKe.jsView file
8License: MIT, header required. L9: */var Matrix=function(){var t=Math.cos;var i=Math.sin;var e=Math.tan;var r=Math.round;function s(){this.props[0]=1;this.props[1]=0;this.props[2]=0;this.props[3]=0;this.props[4]=0;t... L10: //# sourceMappingURL=p-GK75wIKe.js.map
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/rebill/p-GK75wIKe.jsView on unpkg · L8

Findings

4 Medium8 Low
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/rebill/p-GK75wIKe.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings