registry  /  @sedibyte/auth  /  0.3.3

@sedibyte/auth@0.3.3

Provider-agnostic authentication manager for various platforms (Microsoft, Salesforce, with more to come).

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Runtime Graph and Salesforce helpers can attach access tokens to arbitrary HTTPS destinations when callers supply absolute URLs. No install-time, import-time, persistence, or local-file attack behavior was found.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer calls `graphFetch` or `restFetch` with an attacker-controlled absolute HTTPS URL.
Impact
An application that passes untrusted request paths could disclose its Microsoft or Salesforce access token to an external host.
Mechanism
Bearer-token forwarding to caller-supplied absolute HTTPS URLs.
Rationale
Source inspection found no malicious lifecycle behavior, credential harvesting, persistence, or hidden network destination. However, unrestricted absolute-URL support combined with automatic bearer-token headers creates a concrete credential-disclosure risk in unsafe integrations.
Evidence
package.jsondist/providers/microsoft/graph.jsdist/providers/salesforce/client.jsdist/providers/microsoft/provider.jsdist/providers/salesforce/provider.jsdist/auth.jsdist/providers/microsoft/validate.jsdist/providers/microsoft/index.jsdist/providers/salesforce/index.jsdist/providers/salesforce/provider.d.ts
Network endpoints3
login.microsoftonline.comgraph.microsoft.com/v1.0login.salesforce.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/providers/microsoft/graph.js` sends its bearer token to any caller-supplied absolute `https://` URL.
  • `dist/providers/salesforce/client.js` likewise accepts arbitrary absolute HTTPS URLs and attaches its Salesforce bearer token.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time hook is present.
  • `dist/auth.js` only maintains in-memory provider/token caches.
  • Provider credentials are explicit options; no environment, filesystem, shell, eval, or dynamic loading is used.
  • Fixed token exchanges target Microsoft and Salesforce authentication endpoints.
  • `dist/providers/salesforce/provider.d.ts` describes a caller-provided private-key field, not an embedded secret.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 8 file(s), 16.3 KB of source, external domains: graph.microsoft.com, login.microsoftonline.com, login.salesforce.com, sts.windows.net

Source & flagged code

3 flagged · loading source
dist/providers/salesforce/provider.d.tsView file
14patternName = private_key_rsa severity = critical line = 14 matchedText = * RSA pr...---`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/providers/salesforce/provider.d.tsView on unpkg · L14
14patternName = private_key_rsa severity = critical line = 14 matchedText = * RSA pr...---`
Critical
Secret Pattern

RSA private key in dist/providers/salesforce/provider.d.ts

dist/providers/salesforce/provider.d.tsView on unpkg · L14
README.mdView file
130patternName = private_key_rsa severity = critical line = 130 matchedText = The priv...ck).
Critical
Secret Pattern

RSA private key in README.md

README.mdView on unpkg · L130

Findings

3 Critical1 Medium4 Low
CriticalCritical Secretdist/providers/salesforce/provider.d.ts
CriticalSecret Patterndist/providers/salesforce/provider.d.ts
CriticalSecret PatternREADME.md
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License