registry  /  @reventlessdev/reventless-ui  /  3.0.0-alpha.31

@reventlessdev/reventless-ui@3.0.0-alpha.31

Reventless UI components

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a React/ReScript UI library with auth, GraphQL, WebSocket, Cognito, and module-federation functionality activated by consuming applications.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports and renders exported UI/auth/plugin components.
Impact
Expected UI login/session behavior and plugin rendering; no concrete exfiltration or install-time compromise identified.
Mechanism
Configured application networking and optional remote plugin loading.
Rationale
Static inspection shows scanner hits map to package-aligned UI authentication, GraphQL/WebSocket, AWS Cognito, and module-federation runtime code rather than hidden install/import-time malware. There are risky primitives, but they are user/configuration-driven features with no hardcoded credential exfiltration, persistence, destructive action, or lifecycle execution.
Evidence
package.jsondist/index.mjsdist/index-C0DvoavR.mjsREADME.mdbrowser localStorage key reventless.auth.v1browser localStorage key FEDERATION_DEBUG
Network endpoints8
cognito-idp.{Region}.amazonaws.comcognito-idp-fips.us-east-1.amazonaws.comcognito-idp-fips.us-east-2.amazonaws.comcognito-idp-fips.us-west-1.amazonaws.comcognito-idp-fips.us-west-2.amazonaws.comlocalhost:4000/graphql/__inmemory/login/config.json

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index-C0DvoavR.mjs contains module-federation runtime capable of fetching/evaluating configured remote entries.
  • dist/index-C0DvoavR.mjs AuthProvider sends username/password to configured Cognito or local apiEndpoint login URL.
  • dist/index-C0DvoavR.mjs stores auth tokens in browser localStorage under package auth key.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build command.
  • dist/index.mjs only re-exports symbols from bundled dist file.
  • Credential handling is part of exported Login/AuthProvider UI and uses caller config, not hardcoded exfiltration endpoints.
  • Network calls target caller-supplied apiEndpoint/platformApiEndpoint/subscription endpoints or AWS Cognito SDK endpoints.
  • No fs/child_process persistence, destructive behavior, reviewer prompt injection, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 855 KB of source, external domains: cognito-idp-fips.us-east-1.amazonaws.com, cognito-idp-fips.us-east-2.amazonaws.com, cognito-idp-fips.us-west-1.amazonaws.com, cognito-idp-fips.us-west-2.amazonaws.com, cognito-idp.amazonaws.com, eu-west-1.console.aws.amazon.com, github.com, module-federation.io

Source & flagged code

5 flagged · loading source
dist/index-C0DvoavR.mjsView file
70return t === void 0 ? { L71: BS_PRIVATE_NESTED_SOME_NONE: 0 L72: } : t !== null && t.BS_PRIVATE_NESTED_SOME_NONE !== void 0 ? { ... L1855: }, t; L1856: })(), MS = "-ms-", MOZ = "-moz-", WEBKIT = "-webkit-", COMMENT = "comm", RULESET = "rule", DECLARATION = "decl", IMPORT = "@import", KEYFRAMES = "@keyframes", LAYER = "@layer", abs... L1857: function hash$1(t, n) { ... L3213: let n = t.label, o = t.value, u = n !== void 0 ? n : "Copy", p = React.useState(() => !1), y = p[1], $ = p[0], S = (x) => { L3214: x.stopPropagation(), x.preventDefault(), $$catch(navigator.clipboard.writeText(o).then(() => (y((E) => !0), setTimeout(() => y((E) => !1), 1500), Promise.resolve())), (E) => Promis... L3215: }, _ = $ ? button$2 + " " + confirmed : button$2; ... L4839: closeBtn: closeBtn$1, L4840: body: body$3, L4841: footer: footer$2
Critical
Browser Credential Phishing

Source appears to collect browser login credentials for exfiltration.

dist/index-C0DvoavR.mjsView on unpkg · L70
70Trigger-reachable chain: manifest.module -> dist/index.mjs -> dist/index-C0DvoavR.mjs L70: return t === void 0 ? { L71: BS_PRIVATE_NESTED_SOME_NONE: 0 L72: } : t !== null && t.BS_PRIVATE_NESTED_SOME_NONE !== void 0 ? { ... L1855: }, t; L1856: })(), MS = "-ms-", MOZ = "-moz-", WEBKIT = "-webkit-", COMMENT = "comm", RULESET = "rule", DECLARATION = "decl", IMPORT = "@import", KEYFRAMES = "@keyframes", LAYER = "@layer", abs... L1857: function hash$1(t, n) { ... L3213: let n = t.label, o = t.value, u = n !== void 0 ? n : "Copy", p = React.useState(() => !1), y = p[1], $ = p[0], S = (x) => { L3214: x.stopPropagation(), x.preventDefault(), $$catch(navigator.clipboard.writeText(o).then(() => (y((E) => !0), setTimeout(() => y((E) => !1), 1500), Promise.resolve())), (E) => Promis... L3215: }, _ = $ ? button$2 + " " + confirmed : button$2; ... L4839: closeBtn: closeBtn$1, L4840: body: body$3, L4841: footer: footer$2
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index-C0DvoavR.mjsView on unpkg · L70
18368async loadEventStreamCapability() { L18369: const { EventStreamSerde: o } = await import("./index-BldJuH25.mjs"); L18370: return new o({
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index-C0DvoavR.mjsView on unpkg · L18368
70return t === void 0 ? { L71: BS_PRIVATE_NESTED_SOME_NONE: 0 L72: } : t !== null && t.BS_PRIVATE_NESTED_SOME_NONE !== void 0 ? { ... L1855: }, t; L1856: })(), MS = "-ms-", MOZ = "-moz-", WEBKIT = "-webkit-", COMMENT = "comm", RULESET = "rule", DECLARATION = "decl", IMPORT = "@import", KEYFRAMES = "@keyframes", LAYER = "@layer", abs... L1857: function hash$1(t, n) { ... L3213: let n = t.label, o = t.value, u = n !== void 0 ? n : "Copy", p = React.useState(() => !1), y = p[1], $ = p[0], S = (x) => { L3214: x.stopPropagation(), x.preventDefault(), $$catch(navigator.clipboard.writeText(o).then(() => (y((E) => !0), setTimeout(() => y((E) => !1), 1500), Promise.resolve())), (E) => Promis... L3215: }, _ = $ ? button$2 + " " + confirmed : button$2; ... L4839: closeBtn: closeBtn$1, L4840: body: body$3, L4841: footer: footer$2
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/index-C0DvoavR.mjsView on unpkg · L70
23604let o; L23605: return t.getPublicPath.startsWith("function") ? o = new Function("return " + t.getPublicPath)()() : o = new Function(t.getPublicPath)(), `${o}${n}`; L23606: } else return "publicPath" in t ? !isBrowserEnv() && !isReactNativeEnv() && "ssrPublicPath" in t ? `${t.ssrPublicPath}${n}` : `${t.publicPath}${n}` : (console.warn("Cannot get reso...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index-C0DvoavR.mjsView on unpkg · L23604

Findings

2 Critical5 Medium5 Low
CriticalBrowser Credential Phishingdist/index-C0DvoavR.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/index-C0DvoavR.mjs
MediumDynamic Requiredist/index-C0DvoavR.mjs
MediumUnsafe Vm Contextdist/index-C0DvoavR.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index-C0DvoavR.mjs
LowHigh Entropy Strings
LowUrl Strings