AI Security Review
scanned 5h ago · by lpm-firewall-aiThe user-invoked scaffold CLI passes an attacker-controlled template string to `execSync` as interpolated shell text. A crafted `--template` value can cause local command execution before cloning templates.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `create-reactify-app` with a crafted `--template` argument.
Impact
Arbitrary command execution with the permissions of the CLI user.
Mechanism
Shell command injection through interpolated git-clone command.
Rationale
Source inspection confirms a concrete command-injection path in the template fetcher. It is not automatic on installation and shows no malicious collection or persistence behavior, so warn rather than block.
Evidence
package.jsondist/cli.mjsdist/create-Cu-S6xwB.mjsREADME.md
Network endpoints1
github.com
Decision evidence
public snapshotAI called this Suspicious at 95.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/create-Cu-S6xwB.mjs` interpolates `--template` into an `execSync` shell command.
- Shell command substitution in a crafted template value can execute as the invoking user.
- The vulnerable clone path runs whenever the user invokes the scaffold command.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- CLI execution is user-invoked through `dist/cli.mjs`; imports do not trigger scaffolding.
- Git clone targets the package-aligned `github.com/cyb3rcore/template-*` namespace.
- No credential harvesting, broad filesystem scan, agent-control writes, or stealth persistence found.
Behavioral surface
ChildProcessFilesystemShell
NoLicense
Source & flagged code
1 flagged · loading sourcedist/create-Cu-S6xwB.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = create-reactify-app@0.2.8
matchedIdentity = npm:Y3JlYXRlLXJlYWN0aWZ5LWFwcA:0.2.8
similarity = 0.667
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/create-Cu-S6xwB.mjsView on unpkgFindings
1 High4 Low
HighPrevious Version Dangerous Deltadist/create-Cu-S6xwB.mjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License