AI Security Review
scanned 8h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a bundled Vue component library with product API calls and browser storage use, but no install-time execution, persistence, exfiltration, or agent control-surface mutation was found.
Decision evidence
public snapshot- dist/request-1RPa2bBn.js creates an axios client to a hardcoded product API and attaches stored bearer tokens at runtime.
- dist/config.js and public/config.js expose fixed HTTP API endpoints.
- package.json has only prepublishOnly build hook; no install/postinstall runtime hook.
- dist/ss-component.js is a Vue component entrypoint with async component imports.
- No source writes agent configs, shell startup files, VCS hooks, or home/project files.
- No confirmed child_process execution or Node fs mutation in package code; hits are bundled browser libraries.
- dist/index-BDRDpsgF.js Unicode controls are inside a CodeMirror special-character regex/table, not hidden logic.
- dist/JSEncrypt-B36c1iN5.js is bundled JSEncrypt RSA library code; no embedded private key found.
Source & flagged code
8 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/JSEncrypt-B36c1iN5.jsView on unpkg · L1908RSA private key in dist/JSEncrypt-B36c1iN5.js
dist/JSEncrypt-B36c1iN5.jsView on unpkg · L1908Package source references a known benign dynamic code generation pattern.
dist/main-Cepry4zn.jsView on unpkg · L444Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/index-BDRDpsgF.jsView on unpkg · L11962A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index-BDRDpsgF.jsView on unpkgPackage ships high-entropy non-source blobs.
dist/icons/img/insofworkslogo.icoView on unpkgPackage contains source files above the static scanner size ceiling.
dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-Mr9QL-WU.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/request-1RPa2bBn.jsView on unpkg