registry  /  @reventlessdev/reventless-host-shell  /  3.0.0-alpha.34

@reventlessdev/reventless-host-shell@3.0.0-alpha.34

Reventless host shell SPA — loads plugin UI fragments at runtime via Module Federation

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a host shell SPA and CLI wrapper that serves prebuilt dist and talks to configured GraphQL/auth endpoints.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs reventless-host-shell or opens served SPA.
Impact
Expected runtime network/auth behavior for the host shell; no credential harvesting, persistence, destructive action, or install-time execution found.
Mechanism
Vite preview plus browser GraphQL/auth client and Module Federation plugin loader.
Rationale
Static inspection shows scanner hits are package-aligned: a user-invoked CLI starts Vite preview, browser login sends credentials to configured local/Cognito auth and stores returned tokens locally, and runtime remote loading supports documented plugin UI fragments. No install-time execution, exfiltration endpoint, filesystem harvesting, persistence, or destructive behavior was found.
Evidence
package.jsonbin/start.mjsvite.config.mjsdist/config.jsondist/index.htmldist/assets/index-CFSsOKn1.jsdist/assets/virtual_mf-REMOTE_ENTRY_ID___mfe_internal__reventless_host_shell__remoteEntry-_hash_-C7GyRUYR.js
Network endpoints6
/graphql/platform-graphql/__inmemory/loginlocalhost:4000localhost:4001cognito-idp.{Region}.amazonaws.com

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hooks; only prepublishOnly build script.
    • bin/start.mjs only spawns local vite preview for packaged dist on user-invoked CLI.
    • dist/config.json uses relative /graphql and /platform-graphql with authMode local.
    • vite.config.mjs proxies /graphql and /__inmemory to localhost:4000 and /platform-graphql to localhost:4001.
    • dist/assets/index-CFSsOKn1.js login posts username/password to configured local/Cognito auth endpoints and stores returned token in localStorage.
    • Module Federation remoteEntryUrl loading is runtime plugin UI behavior described by package metadata, not a hidden payload.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEvalNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedProtestwareUrlStrings
    Manifest
    NoLicense
    scanned 17 file(s), 786 KB of source, external domains: cognito-idp-fips.us-east-1.amazonaws.com, cognito-idp-fips.us-east-2.amazonaws.com, cognito-idp-fips.us-west-1.amazonaws.com, cognito-idp-fips.us-west-2.amazonaws.com, cognito-idp.amazonaws.com, github.com, reactjs.org, underscorejs.org, www.w3.org

    Source & flagged code

    2 flagged · loading source
    bin/start.mjsView file
    17const pkgDir = resolve(dirname(fileURLToPath(import.meta.url)), '..') L18: const require = createRequire(import.meta.url) L19: const vitePkg = require.resolve('vite/package.json', { paths: [pkgDir] })
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    bin/start.mjsView on unpkg · L17
    dist/assets/index-CFSsOKn1.jsView file
    1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/index-Coxr9JYr.js"])))=>i.map(i=>d[i]); L2: import"./virtualExposes-DN39MDG_.js";import{d as __}from"./virtual_mf-REMOTE_ENTRY_ID___mfe_internal__reventless_host_shell__remoteEntry-_hash_-C7GyRUYR.js";import{b as Pt,c as ye,... L3: `));return n(i)},OR={step:"serialize",tags:["HTTP_AUTH_SCHEME"],name:"httpAuthSchemeMiddleware",override:!0,relation:"before",toMiddleware:"endpointV2Middleware"},NR=(e,{httpAuthSc... ... L16: ${Fn(s)}`}getCanonicalPath({path:t}){if(this.uriEscapePath){const n=[];for(const a of t.split("/"))a?.length!==0&&a!=="."&&(a===".."?n.pop():n.push(a));const r=`${t?.startsWith("/"... L17: `);return this.signString(g,{signingDate:r,signingRegion:l,signingService:s,eventStreamCredentials:o})}async signMessage(t,{signingDate:n=new Date,signingRegion:r,signingService:i,... L18: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var l,u=!0,c=!1;return{s:function(){a=a.call(r)},n:function(){var f=a.next();return u=f.done,f}... ... L26: */function Ek(e,t){var n=Ml.length?Ml.pop():[],r=Ul.length?Ul.pop():[],i=oc(e,t,n,r);return n.length=0,r.length=0,Ml.push(n),Ul.push(r)
    Critical
    Browser Credential Phishing

    Source appears to collect browser login credentials for exfiltration.

    dist/assets/index-CFSsOKn1.jsView on unpkg · L1

    Findings

    1 Critical4 Medium6 Low
    CriticalBrowser Credential Phishingdist/assets/index-CFSsOKn1.js
    MediumDynamic Requirebin/start.mjs
    MediumNetwork
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEval
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License