/* phi homepage — interactive components */
const { useState, useEffect, useRef, useMemo } = React;
/* ============================================================
* LIVE SCANNER PANEL (hero right side)
* ========================================================== */
// Sample feed for the hero scanner. Real packages with real verdicts:
// - lodash@4.17.20 has 5 OSV advisories (sum to ~70).
// - ua-parser-js@0.7.29 was a confirmed malicious release in Oct 2021
// (crypto miner + Windows password stealer).
// - node-ipc@10.1.1 was the protestware release in Mar 2022.
// - The REVIEW-flagged ones (zod, pino, esbuild) match phi's actual
// corpus output for those versions on v0.1.0.
const PKG_FEED = [
{ name: "react", ver: "18.3.1", files: 102, score: 0, verdict: "SAFE", sev: "v-safe" },
{ name: "next", ver: "15.0.3", files: 1843, score: 5, verdict: "SAFE", sev: "v-safe" },
{ name: "lodash", ver: "4.17.20", files: 1047, score: 70, verdict: "BLOCKED", sev: "v-block" },
{ name: "express", ver: "4.21.0", files: 67, score: 0, verdict: "SAFE", sev: "v-safe" },
{ name: "ua-parser-js", ver: "0.7.29", files: 14, score: 95, verdict: "BLOCKED", sev: "v-block" },
{ name: "zod", ver: "3.23.8", files: 38, score: 20, verdict: "REVIEW", sev: "v-review" },
{ name: "axios", ver: "1.7.7", files: 156, score: 0, verdict: "SAFE", sev: "v-safe" },
{ name: "fastify", ver: "5.0.0", files: 234, score: 10, verdict: "SAFE", sev: "v-safe" },
{ name: "ws", ver: "8.18.0", files: 41, score: 0, verdict: "SAFE", sev: "v-safe" },
{ name: "vite", ver: "6.0.1", files: 412, score: 5, verdict: "SAFE", sev: "v-safe" },
{ name: "esbuild", ver: "0.24.0", files: 8, score: 25, verdict: "REVIEW", sev: "v-review" },
{ name: "pino", ver: "9.5.0", files: 79, score: 55, verdict: "REVIEW", sev: "v-review" },
{ name: "node-ipc", ver: "10.1.1", files: 96, score: 70, verdict: "BLOCKED", sev: "v-block" },
];
function ScoreBar({ score, sev }) {
return (
{score}
);
}
function LiveScanner() {
const [head, setHead] = useState(0); // index of next package to scan
const VISIBLE = 8;
// tick to advance scanned cursor
useEffect(() => {
const t = setInterval(() => {
setHead(h => (h + 1) % (PKG_FEED.length + 6)); // pause at end before looping
}, 900);
return () => clearInterval(t);
}, []);
const rows = useMemo(() => {
const start = Math.max(0, Math.min(head - VISIBLE + 1, PKG_FEED.length - VISIBLE));
return PKG_FEED.slice(start, start + VISIBLE).map((p, i) => ({
...p,
globalIdx: start + i,
isScanning: start + i === head && head < PKG_FEED.length,
isPending: start + i > head,
}));
}, [head]);
const scanned = Math.min(head + 1, PKG_FEED.length);
const blocked = PKG_FEED.slice(0, scanned).filter(p => p.verdict === "BLOCKED").length;
const review = PKG_FEED.slice(0, scanned).filter(p => p.verdict === "REVIEW").length;
const safe = scanned - blocked - review;
return (
scanning · my-app/package-lock.json
{scanned}/{PKG_FEED.length}
0.{(scanned * 73).toString().padStart(3, "0")}s
{rows.map((p) => (
{String(p.globalIdx + 1).padStart(2, "0")}
{p.name}@{p.ver}
{p.files}f
{p.isPending ? (
—
) : p.isScanning ? (
···
) : (
)}
{p.isPending || p.isScanning ? (
—
) : (
{p.verdict}
)}
))}
);
}
/* ============================================================
* DETECTOR GRID
* ========================================================== */
const DETECTORS = [
{
sym: "Ace",
name: "Arbitrary Code Execution",
sev: "crit", pts: 35,
layer: "AST validated",
examples: "eval(...) · child_process.exec / spawn",
body: [
<>Direct execution of arbitrary code. Phi parses every .js / .cjs / .mjs file with goja and only fires on real CallExpression nodes.,
<>References inside string literals, comments, or identifier names are suppressed. eslint's source contains eval in regex patterns — AST validation correctly skips those.,
],
},
{
sym: "Dyn",
name: "Dynamic Code Compilation",
sev: "high", pts: 20,
layer: "AST validated",
examples: "new Function(...)",
body: [
<>String-to-function compilation. Legitimately used by validator generators (zod, ajv), JSON serializers (fast-json-stringify), route compilers (find-my-way), and prettier.,
<>Demoted to HIGH so a single hit lands in REVIEW — combined with a CRITICAL or another HIGH it can still escalate.,
],
},
{
sym: "Obf",
name: "Code Obfuscation",
sev: "crit", pts: 35,
layer: "Pattern · diversity-checked",
examples: "\\xNN runs · Buffer.from(b64) · String.fromCharCode",
body: [
<>Techniques used to hide malicious payloads: hex-escape sequences of 6+ pairs, base64-decoded buffers, charcode arrays of 4+, atob.,
<>The hex matcher applies a diversity check — uniform-byte runs (e.g. \x07\x07\x07…) are skipped, because real obfuscators emit varied bytes.,
],
},
{
sym: "Cred",
name: "Credential Theft",
sev: "crit", pts: 35,
layer: "Smart matcher",
examples: ".npmrc · .netrc · id_rsa · AWS_SECRET_*",
body: [
<>Access to API keys, tokens, or credential files. Knows the package's normalized name and silently skips reads of its own env vars — resend reading RESEND_API_KEY doesn't fire.,
<>Unrelated package reading AWS_SECRET_ACCESS_KEY does. File-based references — .npmrc, .netrc, id_rsa, id_ed25519 — fire unconditionally.,
],
},
{
sym: "Inst",
name: "Install Script Abuse",
sev: "crit", pts: 35,
layer: "Smart matcher",
examples: "preinstall · install · postinstall",
body: [
<>Lifecycle scripts that pipe remote code into a shell. Phi only inspects the three install hooks of package.json.,
<>Test scripts, prepublish hooks, and build scripts that happen to use node -e or curl | sh don't fire. ljharb-style utility false positives eliminated.,
],
},
{
sym: "Min",
name: "Crypto Mining",
sev: "crit", pts: 35,
layer: "Pattern",
examples: "stratum+tcp:// · CoinHive · CryptoNight",
body: [
<>Cryptocurrency mining APIs and pool connections: CoinHive, Monero/XMR references, stratum+tcp:// URLs, CryptoNight algorithm references.,
],
},
{
sym: "Wlt",
name: "Wallet Drain",
sev: "crit", pts: 35,
layer: "Pattern",
examples: "web3.eth.sendTransaction · ethers.Wallet · drainTokens",
body: [
<>Cryptocurrency wallet access or transfer patterns. Picks up web3.eth.sendTransaction, ethers.Wallet instantiation, and obvious function names (drainTokens, drainWallet).,
],
},
{
sym: "Sh",
name: "Reverse Shell",
sev: "crit", pts: 35,
layer: "Pattern",
examples: "/bin/bash -i · /dev/tcp/ · mkfifo · nc -e",
body: [
<>Patterns used to open a remote shell back to an attacker: /bin/bash -i, redirections through /dev/tcp/, mkfifo pipelines, nc -e /bin/.,
],
},
{
sym: "Net",
name: "Network Exfiltration",
sev: "high", pts: 20,
layer: "Narrow allowlist",
examples: ".onion · pastebin · webhook.site · ngrok · transfer.sh",
body: [
<>Outbound calls to known exfiltration services or hidden domains: .onion, pastebin, hastebin, requestbin, webhook.site, ngrok.io, transfer.sh, anonfiles, gofile, paste.ee, controlc.,
<>Generic fetch, axios, and require('http') patterns produce too many false positives on legitimate API clients — not flagged here.,
],
},
{
sym: "Tsq",
name: "Typosquatting",
sev: "high", pts: 20,
layer: "Levenshtein · distance 1",
examples: "lodahs · expres · axiios · reactt · vuee",
body: [
<>Package name within Levenshtein distance 1 of a popular package (lodash, express, axios, react, vue, …).,
<>Distance-2 was tried originally but produced false positives on legitimate short names like fecha matching mocha.,
],
},
{
sym: "Fs",
name: "File System Access",
sev: "high", pts: 20,
layer: "Pattern",
examples: "/etc/passwd · .aws/credentials · .kube/config",
body: [
<>Reads of OS-level sensitive paths: /etc/passwd, /etc/shadow, .aws/credentials, .kube/config, .docker/config.json.,
<>Generic ../../ path traversal patterns are deliberately not flagged — they fire on every legit relative path in tests and fixtures.,
],
},
];
function DetectorGrid() {
const [active, setActive] = useState(0);
const det = DETECTORS[active];
return (
<>
{DETECTORS.map((d, i) => (
))}
DETECTOR
{String(active + 1).padStart(2, "0")} · {det.sym}
SEVERITY
{det.sev === "crit" ? "CRITICAL · +35" : "HIGH · +20"}
METHOD
{det.layer}
SIGNATURES
{det.examples}
{det.name}
{det.body.map((p, i) =>
{p}
)}
);
}
/* ============================================================
* VERDICT GAUGE
* ========================================================== */
const SAMPLE_PKGS = [
{
id: "react", name: "react@18.3.1", desc: "the obvious one",
score: 0, verdict: "SAFE", sev: "v-safe",
hits: [],
},
{
id: "pino", name: "pino@9.5.0", desc: "logger w/ fast-json",
score: 30, verdict: "REVIEW", sev: "v-review",
hits: [
{ sev: "high", what: "Dynamic Code Compilation", layer: "AST · new Function", pts: 20 },
{ sev: "mod", what: "Network Exfiltration", layer: "Pattern · transfer.sh ref", pts: 10 },
],
},
{
id: "lodash", name: "lodash@4.17.20", desc: "5 known CVEs",
score: 70, verdict: "BLOCKED", sev: "v-block",
hits: [
{ sev: "high", what: "GHSA-35jh-r3h4-6jhm", layer: "OSV · Command Injection", pts: 20 },
{ sev: "high", what: "GHSA-r5fr-rjxr-66jc", layer: "OSV · Code Injection (_.template)", pts: 20 },
{ sev: "mod", what: "GHSA-29mw-wpgm-hmr9", layer: "OSV · ReDoS", pts: 10 },
{ sev: "mod", what: "GHSA-f23m-r3pf-42rh", layer: "OSV · Prototype Pollution", pts: 10 },
{ sev: "mod", what: "GHSA-xxjr-mmjv-4gpg", layer: "OSV · Prototype Pollution (_.unset)", pts: 10 },
],
},
{
id: "uaparser", name: "ua-parser-js@0.7.29", desc: "confirmed malware (Oct 2021)",
score: 95, verdict: "BLOCKED", sev: "v-block",
hits: [
{ sev: "crit", what: "Install Script Abuse", layer: "postinstall · jsextension exec", pts: 35 },
{ sev: "crit", what: "Crypto Mining", layer: "Pattern · stratum+tcp pool", pts: 35 },
{ sev: "high", what: "Network Exfiltration", layer: "Pattern · attacker C2 host", pts: 20 },
{ sev: "low", what: "Code Obfuscation", layer: "Pattern · base64 payload", pts: 5 },
],
},
];
function VerdictLab() {
const [pickIdx, setPickIdx] = useState(0);
const pkg = SAMPLE_PKGS[pickIdx];
const score = pkg.score;
const pct = Math.min(100, score);
const sevColor = pkg.sev === "v-safe" ? "var(--safe)"
: pkg.sev === "v-review" ? "var(--mod)"
: "var(--crit)";
return (
{/* gauge side */}
RISK SCORE · 0–100
verdict thresholds: 20 · 60
SAFE
REVIEW
BLOCKED
{Array.from({ length: 10 }, (_, i) => )}
{SAMPLE_PKGS.map((p, i) => (
))}
{/* hits side */}
DETECTOR HITS · {pkg.hits.length}
{pkg.name}
{pkg.hits.length === 0 ? (
✓ no detector hits
clean across 11 detectors and the OSV feed
) : (
pkg.hits.map((h, i) => (
{h.sev === "crit" ? "CRITICAL" : h.sev === "high" ? "HIGH" : "MODERATE"}
{h.what}
· {h.layer}
+{h.pts}
))
)}
{pkg.hits.length > 0 && (
SUM
+{score} → {pkg.verdict}
)}
$ phi audit
Phi · secure package manager
resolving dependency tree...
scanning 1 packages...
{"\n"}
lodash@4.17.20 files=1047 score=70 verdict=BLOCKED
- [HIGH] advisory GHSA-35jh-r3h4-6jhm — Command Injection in lodash
- [HIGH] advisory GHSA-r5fr-rjxr-66jc — Code Injection via _.template
- [MODERATE] advisory GHSA-29mw-wpgm-hmr9 — Regular Expression DoS
- [MODERATE] advisory GHSA-f23m-r3pf-42rh — Prototype Pollution via array path
- [MODERATE] advisory GHSA-xxjr-mmjv-4gpg — Prototype Pollution in _.unset
{"\n"}
audit: 1 scanned (safe=0 review=0 blocked=1)
report: phi-report.json
),
},
{
label: "phi install",
content: (
<>
$ phi install
Phi · secure package manager
resolving dependency tree...
scanning 12 packages...
{"\n"}
lodash@4.17.20 files=1047 score=70 verdict=BLOCKED
- [HIGH] advisory GHSA-35jh-r3h4-6jhm — Command Injection in lodash
- [MODERATE] advisory GHSA-29mw-wpgm-hmr9 — Regular Expression DoS
...
{"\n"}
phi: install aborted: 1 package(s) blocked; report written to phi-report.json
pin a safe version (lodash@^4.17.21) and re-run.
),
},
{
label: "phi do",
content: (
<>
$ phi do dev
{"\n"}
> my-app@0.1.0 dev
> next dev
{"\n"}
▲ Next.js 15.0.3
- Local: http://localhost:3000
- Network: http://192.168.1.42:3000
{"\n"}
✓ Ready in 1.4s
{"\n"}
node_modules/.bin is on PATH — installed CLIs work without npx.
),
},
{
label: "phi why",
content: (
<>
$ phi why lodash
lodash@4.17.20
my-app > lodash
my-app > express-validator > lodash.merge > lodash
),
},
];
function CliDemo() {
const [tab, setTab] = useState(0);
return (
{CLI_TABS.map((t, i) => (
setTab(i)}>
{t.label}
))}
~/projects/my-app
{CLI_TABS[tab].content}
);
}
/* ============================================================
* MOUNT
* ========================================================== */
ReactDOM.createRoot(document.getElementById("scanner-mount")).render();
ReactDOM.createRoot(document.getElementById("detectors-mount")).render();
ReactDOM.createRoot(document.getElementById("verdict-mount")).render();
ReactDOM.createRoot(document.getElementById("cli-mount")).render();