registry  /  @olostecnologia/olos-cognito-auth  /  1.4.0-beta.0

@olostecnologia/olos-cognito-auth@1.4.0-beta.0

React Component that manages Cognito Tokens and generates new Tokens for Olos Applications.

AI Security Review

scanned 55m ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime authentication requests and browser token storage match the package’s documented Cognito-token purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer mounts `OlosCognitoAuthProvider`, requests token generation, or submits the login form.
Impact
No unconsented install-time execution, foreign data exfiltration, persistence, or destructive action was found.
Mechanism
Configured Cognito authentication and Olos token issuance/refresh.
Rationale
The scanner’s credential-phishing label is unsupported by source: credentials are used by the documented Cognito/Olos authentication flow and sent only to package-aligned Olos auth endpoints. No install hook or concrete malicious execution, exfiltration, persistence, or destructive behavior was found.
Evidence
package.jsonREADME.mddist/index.jsdist/global-polyfill.jsdist/services/API.d.tsdist/services/OlosToken.d.ts
Network endpoints5
auth.api-dev.olos.live/tokenauth.api-staging.olos.live/tokenauth.api-staging02.olos.live/tokenauth.api-prod01.olos.live/tokenauth.api.olos.live/token

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.js` posts configured Cognito/app credentials to Olos token endpoints.
  • `dist/index.js` stores authentication tokens in browser local/session storage.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `dist/index.js` contains only static package/dependency requires; no eval, shell, filesystem, or dynamic loader.
  • Network calls are limited to `/token` and `/token/refresh` on declared Olos auth hosts.
  • Login credentials are passed to `awsAmplify.Auth.signIn` from the rendered Cognito form.
  • `README.md` documents this package as a Cognito/Olos token provider and its configured credentials.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 202 KB of source, external domains: auth.api-dev.olos.live, auth.api-prod01.olos.live, auth.api-staging.olos.live, auth.api-staging02.olos.live, auth.api.olos.live, www.w3.org

Source & flagged code

24 flagged · loading source
dist/index.jsView file
6var React = require('react'); L7: var axios = require('axios'); L8: var workerTimers = require('worker-timers'); ... L182: return new Promise(function (resolve, reject) { L183: axios.post(serviceUrl, null, config$1) L184: .then(function (_a) { ... L426: try { L427: var cached = JSON.parse(raw); L428: var expireDate = UnixTimestamp.toDate(cached.expires_at); ... L1221: userPoolWebClientId: app_id_1, L1222: authenticationFlowType: 'USER_PASSWORD_AUTH', L1223: oauth: {
Critical
Browser Credential Phishing

Source appears to collect browser login credentials for exfiltration.

dist/index.jsView on unpkg · L6
6Trigger-reachable chain: manifest.main -> dist/index.js L6: var React = require('react'); L7: var axios = require('axios'); L8: var workerTimers = require('worker-timers'); ... L182: return new Promise(function (resolve, reject) { L183: axios.post(serviceUrl, null, config$1) L184: .then(function (_a) { ... L426: try { L427: var cached = JSON.parse(raw); L428: var expireDate = UnixTimestamp.toDate(cached.expires_at); ... L1221: userPoolWebClientId: app_id_1, L1222: authenticationFlowType: 'USER_PASSWORD_AUTH', L1223: oauth: {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L6
677patternName = generic_password severity = medium line = 677 matchedText = new_pass...ha",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L677
680patternName = generic_password severity = medium line = 680 matchedText = forgot_p...ha",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L680
684patternName = generic_password severity = medium line = 684 matchedText = reset_pa...ha",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L684
731patternName = generic_password severity = medium line = 731 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L731
732patternName = generic_password severity = medium line = 732 matchedText = new_pass...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L732
735patternName = generic_password severity = medium line = 735 matchedText = forgot_p...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L735
739patternName = generic_password severity = medium line = 739 matchedText = reset_pa...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L739
785patternName = generic_password severity = medium line = 785 matchedText = password...ña",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L785
786patternName = generic_password severity = medium line = 786 matchedText = new_pass...ña",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L786
789patternName = generic_password severity = medium line = 789 matchedText = forgot_p...ña",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L789
793patternName = generic_password severity = medium line = 793 matchedText = reset_pa...ña",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L793
dist/index.es.jsView file
657patternName = generic_password severity = medium line = 657 matchedText = new_pass...ha",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L657
660patternName = generic_password severity = medium line = 660 matchedText = forgot_p...ha",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L660
664patternName = generic_password severity = medium line = 664 matchedText = reset_pa...ha",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L664
711patternName = generic_password severity = medium line = 711 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L711
712patternName = generic_password severity = medium line = 712 matchedText = new_pass...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L712
715patternName = generic_password severity = medium line = 715 matchedText = forgot_p...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L715
719patternName = generic_password severity = medium line = 719 matchedText = reset_pa...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L719
765patternName = generic_password severity = medium line = 765 matchedText = password...ña",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L765
766patternName = generic_password severity = medium line = 766 matchedText = new_pass...ña",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L766
769patternName = generic_password severity = medium line = 769 matchedText = forgot_p...ña",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L769
773patternName = generic_password severity = medium line = 773 matchedText = reset_pa...ña",
Medium
Secret Pattern

Hardcoded password in dist/index.es.js

dist/index.es.jsView on unpkg · L773

Findings

2 Critical24 Medium3 Low
CriticalBrowser Credential Phishingdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumSecret Patterndist/index.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
MediumSecret Patterndist/index.es.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings