registry  /  ss-component-new  /  1.3.700

ss-component-new@1.3.700

This template should help get you started developing with Vue 3 and TypeScript in Vite. The template uses Vue 3 `<script setup>` SFCs, check out the [script setup docs](https://v3.vuejs.org/api/sfc-script-setup.html#sfc-script-setup) to learn more.

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a bundled Vue component library with product API calls and browser storage use, but no install-time execution, persistence, exfiltration, or agent control-surface mutation was found.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Runtime use of exported Vue components/API helpers by an application.
Impact
Application requests may go to configured product endpoints with application tokens; no malicious behavior confirmed.
Mechanism
package-aligned browser API client and UI components
Rationale
Static inspection found hardcoded product endpoints and token-bearing browser requests, but they are tied to the component library's app functions and not install/import-time exfiltration. Scanner hits for eval, secrets, Unicode, and file APIs resolve to bundled library patterns or public config rather than concrete malware.
Evidence
package.jsondist/ss-component.jsdist/request-1RPa2bBn.jsdist/config.jspublic/config.jsdist/index-BDRDpsgF.jsdist/JSEncrypt-B36c1iN5.js
Network endpoints4
222.92.178.198:62001222.92.178.198:63002139.196.154.85:20031139.196.154.85:20015

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/request-1RPa2bBn.js creates an axios client to a hardcoded product API and attaches stored bearer tokens at runtime.
  • dist/config.js and public/config.js expose fixed HTTP API endpoints.
Evidence against
  • package.json has only prepublishOnly build hook; no install/postinstall runtime hook.
  • dist/ss-component.js is a Vue component entrypoint with async component imports.
  • No source writes agent configs, shell startup files, VCS hooks, or home/project files.
  • No confirmed child_process execution or Node fs mutation in package code; hits are bundled browser libraries.
  • dist/index-BDRDpsgF.js Unicode controls are inside a CodeMirror special-character regex/table, not hidden logic.
  • dist/JSEncrypt-B36c1iN5.js is bundled JSEncrypt RSA library code; no embedded private key found.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 66 file(s), 5.88 MB of source, external domains: 139.196.154.85, 222.92.178.198, devtools.vuejs.org, element-plus.org, github.com, openoffice.org, pinia.vuejs.org, purl.oclc.org, purl.org, quilljs.com, schemas.microsoft.com, schemas.openxmlformats.org, sheetjs.com, sheetjs.openxmlformats.org, stuk.github.io, www.w3.org
Oversized source lightweight scan
dist/index-BJ3RS3n_.js2.40 MB file, sampled 256 KB
UrlStringswww.w3.org
dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-Mr9QL-WU.js5.67 MB file, sampled 256 KB
NetworkHighEntropyStringsUrlStringsquilljs.comstuk.github.iowww.w3.org

Source & flagged code

8 flagged · loading source
dist/JSEncrypt-B36c1iN5.jsView file
1908patternName = private_key_rsa severity = critical line = 1908 matchedText = var e = ...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/JSEncrypt-B36c1iN5.jsView on unpkg · L1908
1908patternName = private_key_rsa severity = critical line = 1908 matchedText = var e = ...----
Critical
Secret Pattern

RSA private key in dist/JSEncrypt-B36c1iN5.js

dist/JSEncrypt-B36c1iN5.jsView on unpkg · L1908
dist/main-Cepry4zn.jsView file
444try { L445: const j = new Function(`return ${a}`)(); L446: if (Array.isArray(j) || typeof j == "object")
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/main-Cepry4zn.jsView on unpkg · L444
dist/index-BDRDpsgF.jsView file
11962contains invisible/control Unicode U+200B (zero width space) --Ÿ­؜<U+200B><U+200E><U+200F>\u2028\u2029<U+202D><U+202E><U+2066><U+2067><U+2069>\uFEFF-]`, j4), Nw = {
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/index-BDRDpsgF.jsView on unpkg · L11962
Trigger-reachable chain: manifest.module -> dist/ss-component.js -> dist/index-BDRDpsgF.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index-BDRDpsgF.jsView on unpkg
dist/icons/img/insofworkslogo.icoView file
path = dist/icons/img/insofworkslogo.ico kind = high_entropy_blob sizeBytes = 16927 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/icons/img/insofworkslogo.icoView on unpkg
dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-Mr9QL-WU.jsView file
path = dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-Mr9QL-WU.js kind = oversized_source_file sizeBytes = 5948514 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-Mr9QL-WU.jsView on unpkg
dist/request-1RPa2bBn.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ss-component-new@1.3.699 matchedIdentity = npm:c3MtY29tcG9uZW50LW5ldw:1.3.699 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/request-1RPa2bBn.jsView on unpkg

Findings

5 Critical2 High3 Medium7 Low
CriticalCritical Secretdist/JSEncrypt-B36c1iN5.js
CriticalTrojan Source Unicodedist/index-BDRDpsgF.js
CriticalTrigger Reachable Dangerous Capabilitydist/index-BDRDpsgF.js
CriticalPrevious Version Dangerous Deltadist/request-1RPa2bBn.js
CriticalSecret Patterndist/JSEncrypt-B36c1iN5.js
HighShips High Entropy Blobdist/icons/img/insofworkslogo.ico
HighOversized Source Filedist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-Mr9QL-WU.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/main-Cepry4zn.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License