registry  /  @urbicon-ui/auth  /  6.10.1

@urbicon-ui/auth@6.10.1

Authentication for SvelteKit — JWT sessions, passkeys/WebAuthn, notifications and email with zero runtime dependencies

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network features are expected auth/email/push functionality and require consumer invocation/configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports and calls auth/email/push helpers at runtime
Impact
No malware behavior identified by static inspection.
Mechanism
SvelteKit auth library with optional email and Web Push transports
Rationale
Static source inspection shows a legitimate SvelteKit authentication package; suspicious scanner signals map to expected optional bcrypt import, localized auth strings, and user-invoked network features. No install-time execution, exfiltration, shell execution, filesystem mutation, persistence, or AI-agent control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/client/index.jsdist/i18n/index.jsdist/i18n/de.jsdist/server/index.jsdist/server/auth.jsdist/server/email/lettermint.jsdist/server/notifications/push.jsdist/server/notifications/push-endpoint.jsdist/client/utils/service-worker.jsdist/sw/index.js
Network endpoints2
api.lettermint.co/v1/senduser-supplied public HTTPS Web Push endpoints

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks and no dependencies.
    • dist/index.js only re-exports client and i18n modules; no import-time execution beyond i18n registration.
    • dist/server/auth.js dynamic import is limited to optional bcrypt/bcryptjs legacy password verification.
    • dist/i18n/de.js contains German auth UI strings; scanner secret hit is translation text like password/token labels.
    • Network use is package-aligned: Lettermint email transport and Web Push endpoints invoked by consumer code.
    • No fs, child_process, eval, persistence, destructive actions, or credential harvesting found in inspected dist files.
    Behavioral surface
    Source
    CryptoDynamicRequireFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 142 file(s), 734 KB of source, external domains: 0.0.0.0, 0177.0.0.1, 10.0.0.1, 10.0.0.5, 100.64.0.1, 127.0.0.1, 169.254.0.1, 169.254.169.254, 172.16.3.4, 172.31.255.255, 172.32.0.1, 192.168.1.1, 192.169.0.1, 8.8.8.8, anything-public.example.com, api.lettermint.co, api.localhost, app.example.com, app.example.com.evil.test, app.test, eu.lettermint.test, evil-push.example.com, evil.com, evil.example.com, example.com, fcm.googleapis.com, fcm.googleapis.com.evil.com, other.com, push.example.com, push.test, updates.push.services.mozilla.com, web.push.apple.com

    Source & flagged code

    15 flagged · loading source
    dist/i18n/de.jsView file
    31patternName = generic_password severity = medium line = 31 matchedText = password...rt',
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/i18n/de.jsView on unpkg · L31
    47patternName = generic_password severity = medium line = 47 matchedText = password...rt',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/de.js

    dist/i18n/de.jsView on unpkg · L47
    81patternName = generic_password severity = medium line = 81 matchedText = password...rt',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/de.js

    dist/i18n/de.jsView on unpkg · L81
    dist/server/auth.jsView file
    88try { L89: const mod = (await import(/* @vite-ignore */ specifier)); L90: return (password, hash) => mod.compare(password, hash);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/server/auth.jsView on unpkg · L88
    dist/server/validation.test.jsView file
    154patternName = generic_password severity = medium line = 154 matchedText = expect(v...se);
    Medium
    Secret Pattern

    Hardcoded password in dist/server/validation.test.js

    dist/server/validation.test.jsView on unpkg · L154
    163patternName = generic_password severity = medium line = 163 matchedText = expect(v...se);
    Medium
    Secret Pattern

    Hardcoded password in dist/server/validation.test.js

    dist/server/validation.test.jsView on unpkg · L163
    dist/server/handlers/reset-password.test.jsView file
    22patternName = generic_password severity = medium line = 22 matchedText = const re...}));
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L22
    44patternName = generic_password severity = medium line = 44 matchedText = const re...}));
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L44
    60patternName = generic_password severity = medium line = 60 matchedText = handler....})),
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L60
    61patternName = generic_password severity = medium line = 61 matchedText = handler.... }))
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L61
    74patternName = generic_password severity = medium line = 74 matchedText = const bo...' };
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L74
    dist/server/handlers/register.test.jsView file
    5patternName = generic_password severity = medium line = 5 matchedText = const va...' };
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/register.test.js

    dist/server/handlers/register.test.jsView on unpkg · L5
    dist/i18n/en.jsView file
    31patternName = generic_password severity = medium line = 31 matchedText = password...rd',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/en.js

    dist/i18n/en.jsView on unpkg · L31
    47patternName = generic_password severity = medium line = 47 matchedText = password...rd',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/en.js

    dist/i18n/en.jsView on unpkg · L47
    81patternName = generic_password severity = medium line = 81 matchedText = password...rd',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/en.js

    dist/i18n/en.jsView on unpkg · L81

    Findings

    16 Medium4 Low
    MediumSecret Patterndist/i18n/de.js
    MediumDynamic Requiredist/server/auth.js
    MediumNetwork
    MediumSecret Patterndist/server/validation.test.js
    MediumSecret Patterndist/server/validation.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/register.test.js
    MediumSecret Patterndist/i18n/de.js
    MediumSecret Patterndist/i18n/de.js
    MediumSecret Patterndist/i18n/en.js
    MediumSecret Patterndist/i18n/en.js
    MediumSecret Patterndist/i18n/en.js
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings