AI Security Review
scanned 7h ago · by lpm-firewall-aiThe package exposes a runtime browser feature that loads backend-provided JavaScript and executes it. This is dangerous remote code execution capability, but inspection did not find npm lifecycle execution, persistence, credential theft, or AI-agent control-surface writes.
Decision evidence
public snapshot- dist/index-Ch_Lf81f.js fetches JavaScript from http://222.92.178.198:63002-derived method URLs and executes it with new Function
- dist/index-Ch_Lf81f.js dynamically imports remote dependencies from https://esm.sh and https://unpkg.com based on require() strings in fetched code
- dist/index-Ch_Lf81f.js includes hardcoded external service endpoints including excel-chat, report, face recognition, and websocket URLs
- package.json has no consumer install/postinstall/preinstall hook; prepublishOnly only runs build before publishing
- dist/ss-component.js imports Vue components and registers them; no install-time filesystem or agent control-surface mutation found
- dist/JSEncrypt-B36c1iN5.js appears to be bundled jsencrypt/RSA library code, not a hardcoded private key
- File writes in dist/index-Ch_Lf81f.js use an in-memory virtual fs object, not Node fs on the host
- Network calls appear tied to frontend component/backend features rather than credential harvesting or exfiltration logic
Source & flagged code
8 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/JSEncrypt-B36c1iN5.jsView on unpkg · L1908RSA private key in dist/JSEncrypt-B36c1iN5.js
dist/JSEncrypt-B36c1iN5.jsView on unpkg · L1908Package source references a known benign dynamic code generation pattern.
dist/index-Ds6m_4JJ.jsView on unpkg · L1585Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/index-Ck_oTi7E.jsView on unpkg · L11962A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index-Ck_oTi7E.jsView on unpkgPackage ships high-entropy non-source blobs.
dist/icons/img/insofworkslogo.icoView on unpkgPackage contains source files above the static scanner size ceiling.
dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-D9DRZPyb.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/request-1RPa2bBn.jsView on unpkg