registry  /  create-reactify-app  /  0.3.0

create-reactify-app@0.3.0

Scaffold Reactify projects — Fastify + React + Vite SSR

AI Security Review

scanned 5h ago · by lpm-firewall-ai

The user-invoked scaffold CLI passes an attacker-controlled template string to `execSync` as interpolated shell text. A crafted `--template` value can cause local command execution before cloning templates.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `create-reactify-app` with a crafted `--template` argument.
Impact
Arbitrary command execution with the permissions of the CLI user.
Mechanism
Shell command injection through interpolated git-clone command.
Rationale
Source inspection confirms a concrete command-injection path in the template fetcher. It is not automatic on installation and shows no malicious collection or persistence behavior, so warn rather than block.
Evidence
package.jsondist/cli.mjsdist/create-Cu-S6xwB.mjsREADME.md
Network endpoints1
github.com

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/create-Cu-S6xwB.mjs` interpolates `--template` into an `execSync` shell command.
  • Shell command substitution in a crafted template value can execute as the invoking user.
  • The vulnerable clone path runs whenever the user invokes the scaffold command.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • CLI execution is user-invoked through `dist/cli.mjs`; imports do not trigger scaffolding.
  • Git clone targets the package-aligned `github.com/cyb3rcore/template-*` namespace.
  • No credential harvesting, broad filesystem scan, agent-control writes, or stealth persistence found.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 3 file(s), 17.1 KB of source

Source & flagged code

1 flagged · loading source
dist/create-Cu-S6xwB.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = create-reactify-app@0.2.8 matchedIdentity = npm:Y3JlYXRlLXJlYWN0aWZ5LWFwcA:0.2.8 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/create-Cu-S6xwB.mjsView on unpkg

Findings

1 High4 Low
HighPrevious Version Dangerous Deltadist/create-Cu-S6xwB.mjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License