registry  /  @ferrumec/auth  /  0.2.1

@ferrumec/auth@0.2.1

Framework-agnostic, pluggable authentication for React applications — session management, token refresh, HTTP client, and reusable auth UI.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network activity implements user-configured authenticated API and OAuth/OIDC requests.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer initializes an auth provider or calls its HTTP client.
Impact
Authentication tokens are sent only to configured API/OAuth endpoints as expected by the package purpose.
Mechanism
Configured fetch-based authentication, token refresh, and OAuth flows.
Rationale
The flagged network and token patterns are core, user-configured authentication behavior, not covert collection or exfiltration. Static inspection found no install-time execution, persistence, destructive behavior, or remote payload execution.
Evidence
package.jsondist/index.cjs.jsREADME.md
Network endpoints3
${config.domain}login.microsoftonline.com/${config.tenantId}/oauth2/v2.0graph.microsoft.com/oidc/userinfo

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks.
    • dist/index.cjs.js only sends fetch requests through configured auth/API endpoints.
    • Token storage is explicit browser localStorage/sessionStorage functionality.
    • No child-process, filesystem, eval, VM, environment, or dynamic-import APIs found.
    Behavioral surface
    Source
    Network
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 130 KB of source, external domains: graph.microsoft.com, login.microsoftonline.com

    Source & flagged code

    4 flagged · loading source
    dist/index.cjs.jsView file
    1147patternName = generic_password severity = medium line = 1147 matchedText = if (!pas...d.";
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/index.cjs.jsView on unpkg · L1147
    1297patternName = generic_password severity = medium line = 1297 matchedText = errors.p...d.";
    Medium
    Secret Pattern

    Hardcoded password in dist/index.cjs.js

    dist/index.cjs.jsView on unpkg · L1297
    dist/index.esm.jsView file
    1090patternName = generic_password severity = medium line = 1090 matchedText = if (!pas...d.";
    Medium
    Secret Pattern

    Hardcoded password in dist/index.esm.js

    dist/index.esm.jsView on unpkg · L1090
    1240patternName = generic_password severity = medium line = 1240 matchedText = errors.p...d.";
    Medium
    Secret Pattern

    Hardcoded password in dist/index.esm.js

    dist/index.esm.jsView on unpkg · L1240

    Findings

    5 Medium3 Low
    MediumSecret Patterndist/index.cjs.js
    MediumNetwork
    MediumSecret Patterndist/index.cjs.js
    MediumSecret Patterndist/index.esm.js
    MediumSecret Patterndist/index.esm.js
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings