registry  /  @reventlessdev/reventless-ui  /  3.0.0-alpha.32

@reventlessdev/reventless-ui@3.0.0-alpha.32

Reventless UI components

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a bundled React/ReScript UI library with auth, GraphQL, WebSocket, and module-federation runtime capabilities that are activated by consuming applications and configuration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing and rendering exported UI providers/components in a consuming app.
Impact
No unconsented install-time mutation, credential exfiltration, or hidden remote payload execution confirmed by static inspection.
Mechanism
User-invoked UI auth and configured API/module-federation runtime behavior.
Rationale
Scanner hints map to legitimate bundled UI/auth and module-federation code paths, including username/password form handling and runtime-configured fetch/WebSocket usage. With no install hooks, no hardcoded exfiltration endpoint, and no hidden package import-time payload, the source supports a clean verdict.
Evidence
package.jsonREADME.mddist/index.mjsdist/index-BaFjI-Rt.mjsdist/index-BBdKl-JC.mjs

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script is present.
    • dist/index.mjs only re-exports symbols from dist/index-BaFjI-Rt.mjs.
    • Credential handling in dist/index-BaFjI-Rt.mjs is an exported AuthProvider login flow using Cognito or a configured local API, then storing auth state under reventless.auth.v1.
    • Network calls are tied to UI/runtime configuration: GraphQL endpoints, plugin registry fetches, Cognito auth, and module-federation remotes.
    • Dynamic import/vm/new Function code is bundled @module-federation runtime behavior for configured remote entries, not install-time execution or hidden payload loading.
    • No evidence of filesystem writes, credential harvesting beyond user-invoked login, exfiltration to hardcoded attacker endpoint, persistence, or destructive behavior.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsEvalNetworkWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 3 file(s), 857 KB of source, external domains: cognito-idp-fips.us-east-1.amazonaws.com, cognito-idp-fips.us-east-2.amazonaws.com, cognito-idp-fips.us-west-1.amazonaws.com, cognito-idp-fips.us-west-2.amazonaws.com, cognito-idp.amazonaws.com, eu-west-1.console.aws.amazon.com, github.com, module-federation.io

    Source & flagged code

    5 flagged · loading source
    dist/index-BaFjI-Rt.mjsView file
    70return t === void 0 ? { L71: BS_PRIVATE_NESTED_SOME_NONE: 0 L72: } : t !== null && t.BS_PRIVATE_NESTED_SOME_NONE !== void 0 ? { ... L1855: }, t; L1856: })(), MS = "-ms-", MOZ = "-moz-", WEBKIT = "-webkit-", COMMENT = "comm", RULESET = "rule", DECLARATION = "decl", IMPORT = "@import", KEYFRAMES = "@keyframes", LAYER = "@layer", abs... L1857: function hash$1(t, n) { ... L3213: let n = t.label, o = t.value, u = n !== void 0 ? n : "Copy", p = React.useState(() => !1), y = p[1], $ = p[0], S = (x) => { L3214: x.stopPropagation(), x.preventDefault(), $$catch(navigator.clipboard.writeText(o).then(() => (y((E) => !0), setTimeout(() => y((E) => !1), 1500), Promise.resolve())), (E) => Promis... L3215: }, _ = $ ? button$2 + " " + confirmed : button$2; ... L4849: closeBtn: closeBtn$1, L4850: body: body$3, L4851: footer: footer$2
    Critical
    Browser Credential Phishing

    Source appears to collect browser login credentials for exfiltration.

    dist/index-BaFjI-Rt.mjsView on unpkg · L70
    70Trigger-reachable chain: manifest.module -> dist/index.mjs -> dist/index-BaFjI-Rt.mjs L70: return t === void 0 ? { L71: BS_PRIVATE_NESTED_SOME_NONE: 0 L72: } : t !== null && t.BS_PRIVATE_NESTED_SOME_NONE !== void 0 ? { ... L1855: }, t; L1856: })(), MS = "-ms-", MOZ = "-moz-", WEBKIT = "-webkit-", COMMENT = "comm", RULESET = "rule", DECLARATION = "decl", IMPORT = "@import", KEYFRAMES = "@keyframes", LAYER = "@layer", abs... L1857: function hash$1(t, n) { ... L3213: let n = t.label, o = t.value, u = n !== void 0 ? n : "Copy", p = React.useState(() => !1), y = p[1], $ = p[0], S = (x) => { L3214: x.stopPropagation(), x.preventDefault(), $$catch(navigator.clipboard.writeText(o).then(() => (y((E) => !0), setTimeout(() => y((E) => !1), 1500), Promise.resolve())), (E) => Promis... L3215: }, _ = $ ? button$2 + " " + confirmed : button$2; ... L4849: closeBtn: closeBtn$1, L4850: body: body$3, L4851: footer: footer$2
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index-BaFjI-Rt.mjsView on unpkg · L70
    18440async loadEventStreamCapability() { L18441: const { EventStreamSerde: o } = await import("./index-BBdKl-JC.mjs"); L18442: return new o({
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/index-BaFjI-Rt.mjsView on unpkg · L18440
    70return t === void 0 ? { L71: BS_PRIVATE_NESTED_SOME_NONE: 0 L72: } : t !== null && t.BS_PRIVATE_NESTED_SOME_NONE !== void 0 ? { ... L1855: }, t; L1856: })(), MS = "-ms-", MOZ = "-moz-", WEBKIT = "-webkit-", COMMENT = "comm", RULESET = "rule", DECLARATION = "decl", IMPORT = "@import", KEYFRAMES = "@keyframes", LAYER = "@layer", abs... L1857: function hash$1(t, n) { ... L3213: let n = t.label, o = t.value, u = n !== void 0 ? n : "Copy", p = React.useState(() => !1), y = p[1], $ = p[0], S = (x) => { L3214: x.stopPropagation(), x.preventDefault(), $$catch(navigator.clipboard.writeText(o).then(() => (y((E) => !0), setTimeout(() => y((E) => !1), 1500), Promise.resolve())), (E) => Promis... L3215: }, _ = $ ? button$2 + " " + confirmed : button$2; ... L4849: closeBtn: closeBtn$1, L4850: body: body$3, L4851: footer: footer$2
    Medium
    Unsafe Vm Context

    Package source executes code through a VM context API.

    dist/index-BaFjI-Rt.mjsView on unpkg · L70
    23676let o; L23677: return t.getPublicPath.startsWith("function") ? o = new Function("return " + t.getPublicPath)()() : o = new Function(t.getPublicPath)(), `${o}${n}`; L23678: } else return "publicPath" in t ? !isBrowserEnv() && !isReactNativeEnv() && "ssrPublicPath" in t ? `${t.ssrPublicPath}${n}` : `${t.publicPath}${n}` : (console.warn("Cannot get reso...
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/index-BaFjI-Rt.mjsView on unpkg · L23676

    Findings

    2 Critical5 Medium5 Low
    CriticalBrowser Credential Phishingdist/index-BaFjI-Rt.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/index-BaFjI-Rt.mjs
    MediumDynamic Requiredist/index-BaFjI-Rt.mjs
    MediumUnsafe Vm Contextdist/index-BaFjI-Rt.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/index-BaFjI-Rt.mjs
    LowHigh Entropy Strings
    LowUrl Strings