registry  /  9router-ray  /  0.5.74

9router-ray@0.5.74

9Router CLI - Start and manage 9Router server

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installation mutates user environments by installing runtime npm dependencies and a Python anti-detect browser package. Runtime code can automate XAI OAuth login and run a TLS MITM proxy for selected AI-provider hosts, retaining intercepted traffic locally.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install runs postinstall; user-enabled relogin or MITM features run later.
Impact
Can acquire/refresh service tokens and locally capture sensitive AI-provider request data; high-risk dual-use behavior.
Mechanism
install-time cloakbrowser bootstrap plus AI-provider OAuth automation and TLS interception
Rationale
This is not a confirmed malware/exfiltration chain, but it performs unprompted installation of an anti-detect browser and ships credential-handling MITM/OAuth automation. Those concrete capabilities warrant a warning rather than a publication block under the stated policy.
Evidence
package.jsonhooks/postinstall.jshooks/pythonRuntime.jshooks/sqliteRuntime.jshooks/trayRuntime.jsapp/relogin-grok.pyapp/src/mitm/server.js~/.9router/runtime/package.json~/.9router/logs/mitm
Network endpoints11
registry.npmjs.org/9router-ray/latestauth.x.ai/oauth2/authorizeauth.x.ai/oauth2/tokencli-chat-proxy.grok.com/v1/responsesapi.individual.githubcopilot.comdaily-cloudcode-pa.googleapis.comcloudcode-pa.googleapis.comq.us-east-1.amazonaws.comcodewhisperer.us-east-1.amazonaws.comruntime.us-east-1.kiro.devapi2.cursor.sh

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json runs hooks/postinstall.js automatically.
  • hooks/pythonRuntime.js postinstall installs cloakbrowser==0.4.7 with pip.
  • app/relogin-grok.py automates headless XAI login, password entry, and OAuth consent.
  • app/src/mitm/server.js targets Copilot, Google Cloud Code, Kiro, and Cursor traffic.
  • app/src/mitm/server.js writes intercepted request headers/bodies to local MITM logs.
Evidence against
  • Observed remote endpoints are npm registry and XAI/Grok service endpoints, not an attacker-controlled sink.
  • SQLite and tray runtime installs are pinned package dependencies.
  • CLI agent-tool settings are exposed through explicit runtime menu/API actions, not postinstall.
  • No source-confirmed credential exfiltration, remote payload fetch, or foreign AI-agent config mutation found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 554 KB of source, external domains: 127.0.0.1, api.example.com, registry.npmjs.org, www.apple.com

Source & flagged code

16 flagged · loading source
package.jsonView file
scripts.postinstall = node hooks/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node hooks/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
app/.next-cli-build/server/chunks/4306.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

app/.next-cli-build/server/chunks/4306.jsView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Secret Pattern

RSA private key in app/.next-cli-build/server/chunks/4306.js

app/.next-cli-build/server/chunks/4306.jsView on unpkg · L1
app/src/mitm/server.jsView file
33`):null,text:v.text||null}}function Pn(e,t){let a=Buffer.from(e,"utf8"),r=Buffer.from(t,"utf8"),n=Buffer.alloc(1+a.length+1+2+r.length),s=0;return n[s++]=a.length,a.copy(n,s),s+=a.... L34: `);t.push({role:"tool",tool_call_id:n.toolUseId||"",content:s})}let r=(e.content||"").trim();return(r||a.length===0)&&t.push({role:"user",content:r}),t}function hd(e){let t=e.toolU... L35: $proc = Start-Process powershell -ArgumentList @(
High
Child Process

Package source references child process execution.

app/src/mitm/server.jsView on unpkg · L33
24Private-MAC: `+B.digest().toHex()+`\r L25: `,s};Ea.publicKeyToOpenSSH=function(e,t){var a="ssh-rsa";t=t||"";var r=Ce.util.createBuffer();return mr(r,a),Et(r,e.e),Et(r,e.n),a+" "+Ce.util.encode64(r.bytes())+" "+t};Ea.private... L26: `);u=c.pop()||"";for(let g of c){let v=g.trim();if(!v||!v.startsWith("data:"))continue;let y=v.slice(5).trim();if(y!=="[DONE]"){process.env.DEBUG_MITM&&Ta(`[SSE in] ${y.slice(0,200... ... L33: `):null,text:v.text||null}}function Pn(e,t){let a=Buffer.from(e,"utf8"),r=Buffer.from(t,"utf8"),n=Buffer.alloc(1+a.length+1+2+r.length),s=0;return n[s++]=a.length,a.copy(n,s),s+=a.... L34: `);t.push({role:"tool",tool_call_id:n.toolUseId||"",content:s})}let r=(e.content||"").trim();return(r||a.length===0)&&t.push({role:"user",content:r}),t}function hd(e){let t=e.toolU... L35: $proc = Start-Process powershell -ArgumentList @(
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

app/src/mitm/server.jsView on unpkg · L24
24Private-MAC: `+B.digest().toHex()+`\r L25: `,s};Ea.publicKeyToOpenSSH=function(e,t){var a="ssh-rsa";t=t||"";var r=Ce.util.createBuffer();return mr(r,a),Et(r,e.e),Et(r,e.n),a+" "+Ce.util.encode64(r.bytes())+" "+t};Ea.private... L26: `);u=c.pop()||"";for(let g of c){let v=g.trim();if(!v||!v.startsWith("data:"))continue;let y=v.slice(5).trim();if(y!=="[DONE]"){process.env.DEBUG_MITM&&Ta(`[SSE in] ${y.slice(0,200... ... L33: `):null,text:v.text||null}}function Pn(e,t){let a=Buffer.from(e,"utf8"),r=Buffer.from(t,"utf8"),n=Buffer.alloc(1+a.length+1+2+r.length),s=0;return n[s++]=a.length,a.copy(n,s),s+=a.... L34: `);t.push({role:"tool",tool_call_id:n.toolUseId||"",content:s})}let r=(e.content||"").trim();return(r||a.length===0)&&t.push({role:"user",content:r}),t}function hd(e){let t=e.toolU... L35: $proc = Start-Process powershell -ArgumentList @( ... L38: ) -Verb RunAs -Wait -PassThru -WindowStyle Hidden; L39: if ($proc.ExitCode -ne 0) { throw "Elevated command exited with code $($proc.ExitCode)" } L40: `;return new Promise((r,n)=>{$o(`powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command ${Xo(a)}`,{windowsHide:!0},(s,i,o)=>{if(s){let u=o||s.message;u.includes("ca..
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

app/src/mitm/server.jsView on unpkg · L24
cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = 9router-ray@0.5.73 matchedIdentity = npm:OXJvdXRlci1yYXk:0.5.73 similarity = 0.971 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli.jsView on unpkg
210if (process.platform === "win32") { L211: const psCmd = `powershell -NonInteractive -WindowStyle Hidden -Command "Get-WmiObject Win32_Process -Filter 'Name=\\"cloudflared.exe\\"' | Select-Object ProcessId,CommandLine | Con... L212: const output = execSync(psCmd, { encoding: "utf8", windowsHide: true, timeout: 5000 });
High
Shell

Package source references shell execution.

cli.jsView on unpkg · L210
2Cross-file remote execution chain: cli.js spawns app/src/mitm/server.js; helper contains network access plus dynamic code execution. L2: L3: const { spawn, exec, execSync } = require("child_process"); L4: const path = require("path"); L5: const fs = require("fs"); L6: const https = require("https"); L7: const os = require("os"); ... L16: start() { L17: if (process.stdout.isTTY) { L18: process.stdout.write(`\r${frames[0]} ${currentText}`); L19: interval = setInterval(() => { ... L44: L45: const pkg = require("./package.json");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

cli.jsView on unpkg · L2
app/server.jsView file
1const path = require('path') L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

app/server.jsView on unpkg · L1
src/cli/tray/autostart.jsView file
3const os = require("os"); L4: const { execSync } = require("child_process"); L5: ... L36: } L37: const computed = path.resolve(__dirname, "..", "..", "..", "cli.js"); L38: if (fs.existsSync(computed)) return computed; ... L47: function enableAutoStart(cliPath) { L48: const platform = process.platform; L49: L50: if (!["darwin", "win32", "linux"].includes(platform)) return false; L51: if (platform === "linux" && !process.env.DISPLAY) return false; L52:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/cli/tray/autostart.jsView on unpkg · L3
app/src/lib/updater/updater.jsView file
1// Standalone detached updater process. L2: // Spawns `npm i -g <pkg>@latest`, exposes progress via tiny HTTP server. L3: // Survives after parent Next server exits (detached + unref by spawner). L4: L5: const { spawn } = require("child_process"); L6: const http = require("http");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

app/src/lib/updater/updater.jsView on unpkg · L1
app/relogin-grok.pyView file
path = app/relogin-grok.py kind = build_helper sizeBytes = 13245 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

app/relogin-grok.pyView on unpkg
app/.next-cli-build/static/media/material-symbols-outlined.ec1fa111.woff2View file
path = app/.next-cli-build/static/media/material-symbols-outlined.ec1fa111.woff2 kind = high_entropy_blob sizeBytes = 3962536 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

app/.next-cli-build/static/media/material-symbols-outlined.ec1fa111.woff2View on unpkg
app/.next-cli-build/server/chunks/8971.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Secret Pattern

RSA private key in app/.next-cli-build/server/chunks/8971.js

app/.next-cli-build/server/chunks/8971.jsView on unpkg · L1

Findings

4 Critical8 High7 Medium6 Low
CriticalCritical Secretapp/.next-cli-build/server/chunks/4306.js
CriticalPrevious Version Dangerous Deltacli.js
CriticalSecret Patternapp/.next-cli-build/server/chunks/4306.js
CriticalSecret Patternapp/.next-cli-build/server/chunks/8971.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processapp/src/mitm/server.js
HighShellcli.js
HighSame File Env Network Executionapp/src/mitm/server.js
HighCommand Output Exfiltrationapp/src/mitm/server.js
HighCross File Remote Execution Contextcli.js
HighRuntime Package Installapp/src/lib/updater/updater.js
HighShips High Entropy Blobapp/.next-cli-build/static/media/material-symbols-outlined.ec1fa111.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireapp/server.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli/tray/autostart.js
MediumShips Build Helperapp/relogin-grok.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings