registry  /  @adguard/dnr-rulesets  /  4.0.20260714100038

@adguard/dnr-rulesets@4.0.20260714100038

Utility to create AdGuard DNR rulesets for mv3 extensions

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A packaged browser-script payload can intercept target-page code and submit page-derived form data to a dynamically decoded endpoint. The package itself carries and exports the payload; downstream extension injection is required for execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A downstream extension uses the local script rules on `tulink.org` or `acortados.com`.
Impact
Potential disclosure or redirection of target-page form data to an endpoint controlled by page state.
Mechanism
Staged browser script injection with form-data forwarding
Rationale
The payload's page-data forwarding is concrete and cannot be dismissed as the scanner's Proxy heuristic, but execution depends on a downstream extension applying the packaged rule. No lifecycle, persistence, host credential theft, or AI-agent control-surface mutation was found.
Evidence
dist/filters/local_script_rules.jsdist/filters/local_script_rules.jsondist/lib/index.jsdist/cli.cjspackage.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/filters/local_script_rules.js` embeds a rule that proxies `Function.prototype.constructor`, reads page `api_key`/`link_out`, serializes a form, and POSTs it to a dynamically decoded `window.ext_site`.
  • `dist/filters/local_script_rules.json` enables that payload for `tulink.org` and `acortados.com`.
  • The payload also POSTs to same-origin `/check.php`, so it actively performs browser-side network requests when injected.
  • `dist/lib/index.js` packages and copies these local script-rule assets for downstream extension use.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or `prepare` hook.
  • `dist/cli.cjs` runs only when invoked as the `dnr-rulesets` CLI; it does not execute on library import.
  • The CLI's static download endpoint is package-aligned: `https://filters.adtidy.org/extension/chromium-mv3`.
  • No package code reads credential stores, AI-agent configuration, or performs install-time persistence.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 3 file(s), 2.30 MB of source, external domains: af.gog.com, dai.google.com, file-upload.org, filters.adtidy.org, foo.com, future-sale-system.de, googleads.g.doubleclick.net, pubads.g.doubleclick.net, securepubads.g.doubleclick.net, www.facebook.com, www.gog.com, www.iab.net, www.ndtv.com, www.wp.pl
Oversized source lightweight scan
dist/cli.cjs3.80 MB file, sampled 256 KB
FilesystemNetworkCrypto

Source & flagged code

5 flagged · loading source
dist/lib/index.jsView file
10import { fileURLToPath } from 'node:url'; L11: import axios from 'axios'; L12: import fastGlob from 'fast-glob'; ... L951: var reservedWords = { L952: 3: "abstract boolean byte char class double enum export extends final float goto implements import int interface long native package private protected public short static super syn... L953: 5: "class enum extends super const export import", ... L1000: if (code <= 0xffff) { L1001: return code >= 0xaa && nonASCIIidentifierStart.test(String.fromCharCode(code)); L1002: } ... L8241: start: S.token, L8242: body: block_(), L8243: end: prev()
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/lib/index.jsView on unpkg · L10
dist/filters/local_script_rules.jsView file
1export const localScriptRules = { L2: '(function(){var a=document.currentScript,b=String.prototype.charCodeAt,c=function(){return true;};Object.defineProperty(String.prototype,"charCodeAt",{get:function(){return docume... L3: try { ... L378: }, L379: "document.addEventListener('click',function(e){var t=e.target.closest('.click_coupons_code');if(!t)return;e.stopPropagation();e.preventDefault();var u=t.dataset.hrefAlt||null;if(u)... L380: try { ... L446: }, L447: '!function(){const p={apply:(p,e,n)=>{const r=Reflect.apply(p,e,n),s=r?.[0]?.props?.data;return s&&null===s.user&&(r[0].props.data.user="guest"),r}};window.JSON.parse=new Proxy(win... L448: try { ... L780: }, L781: "(()=>{const e=function(){};window.tC={privacy:{getOptinCategories:e,cookieData:[]},addConsentChangeListener:e,removeConsentChangeListener:e,container:{reload:e}},window.tc_events_... L782: try {
Critical
Global Object Hijack Exfiltration

Source reassigns a global/builtin to a Proxy that forwards intercepted runtime data to an external endpoint.

dist/filters/local_script_rules.jsView on unpkg · L1
dist/re2.wasmView file
path = dist/re2.wasm kind = wasm_module sizeBytes = 892736 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/re2.wasmView on unpkg
dist/cli.cjsView file
path = dist/cli.cjs kind = oversized_source_file sizeBytes = 3987122 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.cjsView on unpkg
path = dist/cli.cjs kind = oversized_cli_entrypoint sizeBytes = 3987122 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.cjsView on unpkg

Findings

1 Critical1 High4 Medium7 Low
CriticalGlobal Object Hijack Exfiltrationdist/filters/local_script_rules.js
HighOversized Source Filedist/cli.cjs
MediumNetwork
MediumShips Wasm Moduledist/re2.wasm
MediumOversized Cli Entrypointdist/cli.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/lib/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License