AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime authentication requests and browser token storage match the package’s documented Cognito-token purpose.
Decision evidence
public snapshot- `dist/index.js` posts configured Cognito/app credentials to Olos token endpoints.
- `dist/index.js` stores authentication tokens in browser local/session storage.
- `package.json` has no preinstall, install, or postinstall hook.
- `dist/index.js` contains only static package/dependency requires; no eval, shell, filesystem, or dynamic loader.
- Network calls are limited to `/token` and `/token/refresh` on declared Olos auth hosts.
- Login credentials are passed to `awsAmplify.Auth.signIn` from the rendered Cognito form.
- `README.md` documents this package as a Cognito/Olos token provider and its configured credentials.
Source & flagged code
24 flagged · loading sourceSource appears to collect browser login credentials for exfiltration.
dist/index.jsView on unpkg · L6A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L6