registry  /  vue-layout-gitcode  /  1.12.15-beta.3

vue-layout-gitcode@1.12.15-beta.3

用于 gitcode 站点生产环境使用

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a bundled Vue layout/login/search UI for GitCode with user-invoked browser API calls and CDN assets.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing/using exported Vue components in a browser app
Impact
No unauthorized install-time execution, credential exfiltration, persistence, or destructive behavior identified
Mechanism
Vue UI components with GitCode API requests and captcha SDK loading
Rationale
Static inspection shows a browser-side Vue component bundle whose network and storage primitives support login, search, reporting, captcha, and layout behavior for GitCode. Scanner hits map to bundled third-party libraries, public config, browser localStorage, and package-aligned endpoints rather than malicious execution or exfiltration.
Evidence
package.jsonindex.jsindex-CtgqGX_c.jsindex-BniudX3d.jsindex-Vmx0G7Nd.jsSearchRecommed-BP1gksCD.js
Network endpoints6
gitcode.comweb-api.gitcode.comcdn-static.gitcode.comnews.gitcode.comai.gitcode.comwww.huaweicloud.com

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has main index.js and no lifecycle scripts or bin entries
    • index.js only re-exports Vue layout components from index-CtgqGX_c.js
    • Network use is GitCode UI/API/CDN aligned: web-api.gitcode.com, gitcode.com, cdn-static.gitcode.com
    • Dynamic script loads are captcha/customer-support SDKs for GitCode UI flows, not install/import execution
    • No child_process, fs writes, shell commands, native binaries, persistence, or project file mutation found
    • Hardcoded VITE_SECRET_KEY/IV are client-side login encryption config in bundled UI code, not credential harvesting
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalNetwork
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 16 file(s), 1.19 MB of source, external domains: ai.gitcode.com, atomgit.com, beian.miit.gov.cn, beian.mps.gov.cn, cdn-static.gitcode.com, competition.gitcode, docs.atomgit.com, docs.gitcode.com, gitcode-img.obs.cn-south-1.myhuaweicloud.com, gitcode.com, gitcode.s2.udesk.cn, news.gitcode.com, pre-news.atomgit.com, pre-news.gitcode.com, test-news.atomgit.com, test-news.gitcode.net, test.gitcode.net, tianqi.gitcode.com, vue-i18n.intlify.dev, web-api.gitcode.com, www.csdn.net, www.huaweicloud.com, www.w3.org, www.zhipin.com

    Source & flagged code

    2 flagged · loading source
    index-CtgqGX_c.jsView file
    8348patternName = generic_password severity = medium line = 8348 matchedText = password...in",
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    index-CtgqGX_c.jsView on unpkg · L8348
    4555const { code: code2, detectError } = baseCompile(message, context); L4556: const msg = new Function(`return ${code2}`)(); L4557: return !detectError ? compileCache[cacheKey] = msg : msg;
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    index-CtgqGX_c.jsView on unpkg · L4555

    Findings

    3 Medium4 Low
    MediumSecret Patternindex-CtgqGX_c.js
    MediumNetwork
    MediumEnvironment Vars
    LowEvalindex-CtgqGX_c.js
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings