registry  /  yh-report  /  2.4.86

yh-report@2.4.86

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is a report designer/viewer that deliberately executes JavaScript stored in report configuration in the browser. This can execute code supplied by a report author when a report is viewed, but no package-authored payload or installation-time attack is present.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
An application loads a saved report or renders chart/cell configuration containing custom script fields.
Impact
A party able to save report scripts could run arbitrary browser-context code for report viewers.
Mechanism
Browser-side execution of persisted report-template JavaScript via eval and Function.
Rationale
The package contains intentional, reachable dynamic code execution for configurable reports, creating a dangerous dual-use browser capability. Source inspection does not establish package-authored malicious behavior, so a warning rather than a block is appropriate.
Evidence
package.jsonindex.es.jsindex-B_fjd8e4.mjsStatementDesign-DH0EbG4e.mjsStatementDetail-KwAJlfhe.mjsStatementList-BITrzcDz.mjseditorLock-DdAYyg2u.mjs
Network endpoints3
sysReport/config/report/data/${S}sysReport/save

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `index-B_fjd8e4.mjs` evaluates `processData` from report configuration.
  • `index-B_fjd8e4.mjs` builds cell `customRender` handlers with `new Function`.
  • `index-B_fjd8e4.mjs` evaluates chart axis, series, and tooltip scripts fetched in report config.
  • `StatementDesign-DH0EbG4e.mjs` exposes editors for custom render and chart-processing code.
  • Report detail routes load saved configuration through `sysReport/config` before rendering.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • No Node filesystem, shell, child-process, native-binary, or credential-harvesting code is imported by package entrypoints.
  • No hard-coded external host, exfiltration endpoint, persistence action, or AI-agent control-surface mutation found.
  • The flagged Unicode is a bundled parser regular expression that detects control characters, not hidden executable source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 3.04 MB of source, external domains: developer.mozilla.org, docs.js.sforcecon.com, example.com, feross.org, github.com, npms.io, purl.org, raw.github.com, schemas.microsoft.com, schemas.openxmlformats.org, stuartk.com, www.computerhope.com, www.w3.org

Source & flagged code

3 flagged · loading source
index-B_fjd8e4.mjsView file
1620const fun = function(axios, dayjs) { L1621: return eval( L1622: `async (allData, params,pagination) => {
Low
Eval

Package source references a known benign dynamic code generation pattern.

index-B_fjd8e4.mjsView on unpkg · L1620
StatementDesign-DH0EbG4e.mjsView file
12278contains invisible/control Unicode U+200B (zero width space) --Ÿ­؜<U+200B><U+200E><U+200F>\u2028\u2029<U+202D><U+202E><U+2066><U+2067><U+2069>\uFEFF-]`, Ya), uv = {
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

StatementDesign-DH0EbG4e.mjsView on unpkg · L12278
Trigger-reachable chain: manifest.main -> index.es.js -> index-B_fjd8e4.mjs -> StatementDesign-DH0EbG4e.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

StatementDesign-DH0EbG4e.mjsView on unpkg

Findings

2 Critical2 Medium5 Low
CriticalTrojan Source UnicodeStatementDesign-DH0EbG4e.mjs
CriticalTrigger Reachable Dangerous CapabilityStatementDesign-DH0EbG4e.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalindex-B_fjd8e4.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings