registry  /  rebill  /  1.17.28

rebill@1.17.28

Stencil Component Starter

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The checkout component can deliberately inject consumer-provided browser JavaScript, and the SDK makes configured payment API requests during checkout use.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Host application imports and configures/renders the checkout component; custom script behavior requires its explicit `js` input.
Impact
No install-time mutation, host file access, secret harvesting, persistence, or unconsented remote payload chain was established.
Mechanism
Browser checkout rendering, configured API calls, and optional consumer-controlled script injection.
Rationale
Source inspection shows a browser payment SDK with consumer-invoked checkout and API functionality. Flagged primitives are bundled library or explicit host-configuration behavior, with no concrete malicious chain.
Evidence
package.jsonloader/index.jsloader/index.cjs.jsdist/components/rebill-checkout.jsdist/esm/rebill-checkout.entry.jsdist/esm/index-ZaTfXO9h.jsdist/esm/index-ZaTfXO9h.js.mapdist/esm/lottie-E0pOygkZ.jsdist/index.jsdist/index.cjs.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/components/rebill-checkout.js` supports a consumer-supplied `js` value that injects a browser script or URL.
  • `dist/esm/lottie-E0pOygkZ.js` contains Lottie expression `eval` support.
Evidence against
  • `package.json` has only `prepare: husky install`; no preinstall/install/postinstall hook.
  • Published entrypoints in `dist/` and `loader/` are browser SDK loaders, not install-time executables.
  • No Node filesystem, child-process, credential-path, or AI-agent-control references were found in runtime bundles.
  • Recovered `src/api/client.ts` source shows Axios requests to a configured payment API, with no hidden exfiltration endpoint.
  • The script-injection helper is activated only by the checkout component's explicit consumer-provided `js` property.
  • The `eval` occurrence is confined to bundled Lottie animation expression handling.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 524 file(s), 17.2 MB of source, external domains: api.rebill.com, api.rebill.dev, bugs.chromium.org, bugs.webkit.org, cdnjs.cloudflare.com, chat.stenciljs.com, css-tricks.com, developer.chrome.com, developer.mozilla.org, docs.stripe.com, ecma-international.org, eev.ee, ejohn.org, en.wikipedia.org, es5.github.io, flattr.com, github.com, html.spec.whatwg.org, js.stripe.com, jspdf.default.namespaceuri, lodash.com, mathiasbynens.be, mdn.io, mths.be, npms.io, openjsf.org, opensource.org, pastebin.com, peter.michaux.ca, sdk-iframe.rebill.dev, sdk-iframe.rebill.to, stackoverflow.com, stenciljs.com, tc39.es, underscorejs.org, unpkg.com, v3.docs.rebill.com, webpjs.appspot.com, wonko.com, www.ecma-international.org, www.google.com, www.html5rocks.com, www.i18next.com, www.npmjs.com, www.pagofacil.com.ar, www.phpied.com, www.quasimondo.com, www.rebill.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/rebill/p-GK75wIKe.jsView file
8License: MIT, header required. L9: */var Matrix=function(){var t=Math.cos;var i=Math.sin;var e=Math.tan;var r=Math.round;function s(){this.props[0]=1;this.props[1]=0;this.props[2]=0;this.props[3]=0;this.props[4]=0;t... L10: //# sourceMappingURL=p-GK75wIKe.js.map
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/rebill/p-GK75wIKe.jsView on unpkg · L8
dist/components/p-Co7evZlz.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rebill@1.17.27 matchedIdentity = npm:cmViaWxs:1.17.27 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/components/p-Co7evZlz.jsView on unpkg

Findings

1 High4 Medium8 Low
HighPrevious Version Dangerous Deltadist/components/p-Co7evZlz.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/rebill/p-GK75wIKe.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings