registry  /  ss-component-new  /  1.3.701

ss-component-new@1.3.701

This template should help get you started developing with Vue 3 and TypeScript in Vite. The template uses Vue 3 `<script setup>` SFCs, check out the [script setup docs](https://v3.vuejs.org/api/sfc-script-setup.html#sfc-script-setup) to learn more.

AI Security Review

scanned 7h ago · by lpm-firewall-ai

The package exposes a runtime browser feature that loads backend-provided JavaScript and executes it. This is dangerous remote code execution capability, but inspection did not find npm lifecycle execution, persistence, credential theft, or AI-agent control-surface writes.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User/runtime interaction with the Vue component calculation/method features
Impact
Backend-controlled code can run in the consuming browser context and access page/session data available to the component
Mechanism
remote JavaScript fetch plus new Function execution with dynamic dependency imports
Attack narrative
At runtime, component logic obtains method metadata, builds URLs under http://222.92.178.198:63002/, fetches JavaScript, resolves require() dependencies through built-in shims or remote CDN imports, then evaluates the fetched source with new Function and calls its execute export. This creates a backend-controlled code execution path in the browser, but it is not activated by npm install/import alone.
Rationale
Source inspection confirms a real dangerous runtime remote-code execution capability, but not concrete malware behavior or unconsented lifecycle mutation. Treat as warn rather than publish block because activation is component/runtime driven and appears package-aligned.
Evidence
package.jsondist/ss-component.jsdist/index-Ch_Lf81f.jsdist/request-1RPa2bBn.jsdist/JSEncrypt-B36c1iN5.jsdist/config.jspublic/config.js
Network endpoints7
222.92.178.198:63002/esm.sh/unpkg.com/222.92.178.198:8000/api/v1/excel-chat139.196.154.85:20031139.196.154.85:20015ws://127.0.0.1:22225

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index-Ch_Lf81f.js fetches JavaScript from http://222.92.178.198:63002-derived method URLs and executes it with new Function
  • dist/index-Ch_Lf81f.js dynamically imports remote dependencies from https://esm.sh and https://unpkg.com based on require() strings in fetched code
  • dist/index-Ch_Lf81f.js includes hardcoded external service endpoints including excel-chat, report, face recognition, and websocket URLs
Evidence against
  • package.json has no consumer install/postinstall/preinstall hook; prepublishOnly only runs build before publishing
  • dist/ss-component.js imports Vue components and registers them; no install-time filesystem or agent control-surface mutation found
  • dist/JSEncrypt-B36c1iN5.js appears to be bundled jsencrypt/RSA library code, not a hardcoded private key
  • File writes in dist/index-Ch_Lf81f.js use an in-memory virtual fs object, not Node fs on the host
  • Network calls appear tied to frontend component/backend features rather than credential harvesting or exfiltration logic
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 66 file(s), 5.88 MB of source, external domains: 139.196.154.85, 222.92.178.198, devtools.vuejs.org, element-plus.org, github.com, openoffice.org, pinia.vuejs.org, purl.oclc.org, purl.org, quilljs.com, schemas.microsoft.com, schemas.openxmlformats.org, sheetjs.com, sheetjs.openxmlformats.org, stuk.github.io, www.w3.org
Oversized source lightweight scan
dist/index-Ch_Lf81f.js2.40 MB file, sampled 256 KB
UrlStringswww.w3.org
dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-D9DRZPyb.js5.67 MB file, sampled 256 KB
NetworkHighEntropyStringsUrlStringsquilljs.comstuk.github.iowww.w3.org

Source & flagged code

8 flagged · loading source
dist/JSEncrypt-B36c1iN5.jsView file
1908patternName = private_key_rsa severity = critical line = 1908 matchedText = var e = ...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/JSEncrypt-B36c1iN5.jsView on unpkg · L1908
1908patternName = private_key_rsa severity = critical line = 1908 matchedText = var e = ...----
Critical
Secret Pattern

RSA private key in dist/JSEncrypt-B36c1iN5.js

dist/JSEncrypt-B36c1iN5.jsView on unpkg · L1908
dist/index-Ds6m_4JJ.jsView file
1585} L1586: const n = e.slice(e.indexOf("(") + 1, e.lastIndexOf(")")), t = await new Function(`return [${n}]`)(); L1587: return r(...Array.isArray(t) ? t : [t]);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index-Ds6m_4JJ.jsView on unpkg · L1585
dist/index-Ck_oTi7E.jsView file
11962contains invisible/control Unicode U+200B (zero width space) --Ÿ­؜<U+200B><U+200E><U+200F>\u2028\u2029<U+202D><U+202E><U+2066><U+2067><U+2069>\uFEFF-]`, j4), Nw = {
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/index-Ck_oTi7E.jsView on unpkg · L11962
Trigger-reachable chain: manifest.module -> dist/ss-component.js -> dist/index-Ck_oTi7E.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index-Ck_oTi7E.jsView on unpkg
dist/icons/img/insofworkslogo.icoView file
path = dist/icons/img/insofworkslogo.ico kind = high_entropy_blob sizeBytes = 16927 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/icons/img/insofworkslogo.icoView on unpkg
dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-D9DRZPyb.jsView file
path = dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-D9DRZPyb.js kind = oversized_source_file sizeBytes = 5950588 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-D9DRZPyb.jsView on unpkg
dist/request-1RPa2bBn.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ss-component-new@1.3.699 matchedIdentity = npm:c3MtY29tcG9uZW50LW5ldw:1.3.699 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/request-1RPa2bBn.jsView on unpkg

Findings

5 Critical2 High3 Medium7 Low
CriticalCritical Secretdist/JSEncrypt-B36c1iN5.js
CriticalTrojan Source Unicodedist/index-Ck_oTi7E.js
CriticalTrigger Reachable Dangerous Capabilitydist/index-Ck_oTi7E.js
CriticalPrevious Version Dangerous Deltadist/request-1RPa2bBn.js
CriticalSecret Patterndist/JSEncrypt-B36c1iN5.js
HighShips High Entropy Blobdist/icons/img/insofworkslogo.ico
HighOversized Source Filedist/index.vue_vue_type_style_index_0_scoped_05e3a1d8_lang-D9DRZPyb.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index-Ds6m_4JJ.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License