AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a bundled Vue layout/login/search UI for GitCode with user-invoked browser API calls and CDN assets.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing/using exported Vue components in a browser app
Impact
No unauthorized install-time execution, credential exfiltration, persistence, or destructive behavior identified
Mechanism
Vue UI components with GitCode API requests and captcha SDK loading
Rationale
Static inspection shows a browser-side Vue component bundle whose network and storage primitives support login, search, reporting, captcha, and layout behavior for GitCode. Scanner hits map to bundled third-party libraries, public config, browser localStorage, and package-aligned endpoints rather than malicious execution or exfiltration.
Evidence
package.jsonindex.jsindex-CtgqGX_c.jsindex-BniudX3d.jsindex-Vmx0G7Nd.jsSearchRecommed-BP1gksCD.js
Network endpoints6
gitcode.comweb-api.gitcode.comcdn-static.gitcode.comnews.gitcode.comai.gitcode.comwww.huaweicloud.com
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has main index.js and no lifecycle scripts or bin entries
- index.js only re-exports Vue layout components from index-CtgqGX_c.js
- Network use is GitCode UI/API/CDN aligned: web-api.gitcode.com, gitcode.com, cdn-static.gitcode.com
- Dynamic script loads are captcha/customer-support SDKs for GitCode UI flows, not install/import execution
- No child_process, fs writes, shell commands, native binaries, persistence, or project file mutation found
- Hardcoded VITE_SECRET_KEY/IV are client-side login encryption config in bundled UI code, not credential harvesting
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalNetwork
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
2 flagged · loading sourceindex-CtgqGX_c.jsView file
8348patternName = generic_password
severity = medium
line = 8348
matchedText = password...in",
Medium
4555const { code: code2, detectError } = baseCompile(message, context);
L4556: const msg = new Function(`return ${code2}`)();
L4557: return !detectError ? compileCache[cacheKey] = msg : msg;
Low
Eval
Package source references a known benign dynamic code generation pattern.
index-CtgqGX_c.jsView on unpkg · L4555Findings
3 Medium4 Low
MediumSecret Patternindex-CtgqGX_c.js
MediumNetwork
MediumEnvironment Vars
LowEvalindex-CtgqGX_c.js
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings