AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious package attack surface was established. Runtime browser telemetry and advertising integrations are consistent with the advertised ad-supported video-player purpose.
Decision evidence
public snapshot- `lib/utils/tracking.cjs` creates a persistent browser/player identifier and publishes playback metrics.
- `lib/utils/mqttConfig.cjs` contains a default MQTT broker configuration.
- `lib/sdk/pal.cjs` dynamically loads the Google PAL advertising SDK during nonce generation.
- `package.json` has only publish-time hooks; no preinstall/install/postinstall hook or bin entry.
- `lib/utils/tracking.cjs` telemetry is gated on a license key and configured MQTT, and is invoked from player initialization.
- No Node filesystem, child-process, eval/vm, native binary, credential harvesting, or AI-agent control-surface code was found.
- Published files are browser video/ad-player modules with source maps; no hidden executable payload was found.
Source & flagged code
12 flagged · loading sourcePackage contains a possible secret pattern.
dist/stormcloud-vp.min.jsView on unpkg · L3Hardcoded password in lib/ui/StormcloudVideoPlayer.cjs
lib/ui/StormcloudVideoPlayer.cjsView on unpkg · L1890Hardcoded password in lib/players/HlsPlayer.cjs
lib/players/HlsPlayer.cjsView on unpkg · L1904Hardcoded password in lib/utils/mqttConfig.cjs
lib/utils/mqttConfig.cjsView on unpkg · L113Hardcoded password in lib/utils/mqttClient.cjs
lib/utils/mqttClient.cjsView on unpkg · L129Hardcoded password in lib/utils/tracking.cjs
lib/utils/tracking.cjsView on unpkg · L256Hardcoded password in lib/player/StormcloudVideoPlayer.cjs
lib/player/StormcloudVideoPlayer.cjsView on unpkg · L1853Hardcoded password in lib/player/AdBreakOrchestrator.cjs
lib/player/AdBreakOrchestrator.cjsView on unpkg · L293Hardcoded password in lib/player/AdConfigManager.cjs
lib/player/AdConfigManager.cjsView on unpkg · L1298