registry  /  xyvcard-itsm  /  0.0.66

xyvcard-itsm@0.0.66

npm config set registry https://registry.npmjs.org/

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a bundled Vue ITSM UI module with relative backend API calls and local component imports.

Static reason
One or more suspicious static signals were detected.
Trigger
Application runtime import/use of the Vue plugin or its exported API methods.
Impact
Normal app UI/API behavior; no evidence of install-time execution, credential exfiltration, or host mutation.
Mechanism
Vue plugin registration and relative jmash-core API requests.
Rationale
The scanner hits are explained by a frontend business app bundle: browser token storage, relative backend requests, dynamic local Vue chunk imports, and bundled library helpers. The suspicious fs dependency is not exercised by the inspected package code and there is no lifecycle or import-time malicious behavior.
Evidence
package.jsondist/index.mjsdist/index-BjOS6MHe.mjsdist/base-O2gCbcX8.mjsdts/api/storage/index.jsdts/views/itsm-login/index.vue.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares dependency "fs": "0.0.1-security", a Node builtin-name package, but no use was found.
  • dist/index.mjs and dts API files read localStorage tokens for app API Authorization headers.
  • dist/index.mjs uses dynamic import map for Vue route components; import targets are bundled local dist files.
  • Bundled libraries contain Function constructors in dist/index.mjs and dist/base-O2gCbcX8.mjs, matching common dependency helper patterns.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts or bin entry.
  • Main entry dist/index.mjs is a Vue/Jmash plugin exporting APIs, routes, i18n, and install().
  • Network calls use jmash-core request with relative /v1/itsm, /v1/rbac, /v1/storage paths, not hard-coded exfiltration hosts.
  • No child_process, fs import/require, shell execution, persistence, AI-agent config writes, or destructive file operations found.
  • Token handling appears tied to normal login/tenant selection flows in dts/views/itsm-login/index.vue.js.
Behavioral surface
Source
ChildProcessEnvironmentVarsEval
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 240 file(s), 4.20 MB of source, external domains: echarts.apache.org, element-plus.org, github.com, momentjs.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/index-DmqVT2Yh.mjsView file
22819function m5(r) { L22820: return Y(r) ? typeof JSON < "u" && JSON.parse ? JSON.parse(r) : new Function("return (" + r + ");")() : r; L22821: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index-DmqVT2Yh.mjsView on unpkg · L22819
package.jsonView file
Runtime dependency names matching Node built-ins: fs
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High1 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index-DmqVT2Yh.mjs
LowHigh Entropy Strings
LowUrl Strings
LowNo License