AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network operations are explicit authentication features, not install- or import-time behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
A consumer explicitly configures and calls the Lettermint transport or Web Push service.
Impact
Sends intended authentication email or notification payloads to configured recipients/endpoints.
Mechanism
Configured email and standards-based Web Push delivery
Rationale
Static inspection shows a normal SvelteKit authentication package with explicit runtime transports and no lifecycle execution or covert collection/exfiltration path. The scanner findings are explained by fixed optional bcrypt compatibility loading, localization text, and user-invoked auth networking.
Evidence
package.jsondist/index.jsdist/server/password.jsdist/server/email/lettermint.jsdist/server/notifications/push.jsdist/server/notifications/push-endpoint.jsdist/server/index.jsdist/client/utils/http.jsdist/client/csrf.js
Network endpoints1
api.lettermint.co/v1
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/server/password.js` dynamically imports only optional `bcrypt` or `bcryptjs` for legacy hash verification.
- `dist/server/email/lettermint.js` and `dist/server/notifications/push.js` make runtime `fetch` calls for configured email and Web Push delivery.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- `dist/index.js` and `dist/server/index.js` are export barrels with no import-time execution.
- `dist/server/password.js` uses the dynamic import solely as a bounded fallback over two fixed peer module names.
- `dist/server/email/lettermint.js` sends only when its exported transport is explicitly configured and invoked.
- `dist/server/notifications/push.js` validates endpoints before delivery; `push-endpoint.js` rejects non-HTTPS, local, private, and link-local literal hosts.
- No filesystem-write, subprocess, environment-harvesting, eval, native-binary, or AI-agent-control artifacts were found in `dist`.
Behavioral surface
CryptoDynamicRequireFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
7 flagged · loading sourcedist/i18n/de.jsView file
33patternName = generic_password
severity = medium
line = 33
matchedText = password...rt',
Medium
47patternName = generic_password
severity = medium
line = 47
matchedText = password...rt',
Medium
74patternName = generic_password
severity = medium
line = 74
matchedText = password...rt',
Medium
dist/server/password.jsView file
85try {
L86: const mod = (await import(/* @vite-ignore */ specifier));
L87: return (password, hash) => mod.compare(password, hash);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/server/password.jsView on unpkg · L85dist/i18n/en.jsView file
33patternName = generic_password
severity = medium
line = 33
matchedText = password...rd',
Medium
47patternName = generic_password
severity = medium
line = 47
matchedText = password...rd',
Medium
74patternName = generic_password
severity = medium
line = 74
matchedText = password...rd',
Medium
Findings
8 Medium4 Low
MediumSecret Patterndist/i18n/de.js
MediumDynamic Requiredist/server/password.js
MediumNetwork
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings