registry  /  @blockrun/llm  /  3.5.2

@blockrun/llm@3.5.2

BlockRun SDK - Pay-per-request AI (LLM, Image, Video, Music, Voice) via x402 on Base and Solana

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Runtime client or wallet setup can harvest private keys from arbitrary hidden-directory wallet files in the user's home directory. The selected key is then used to sign paid API requests or Solana transfer transactions.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Constructing a default client or calling wallet/setup helpers without explicitly supplying a private key.
Impact
Unauthorized use of a discovered cryptocurrency wallet to authorize USDC payments or transfers.
Mechanism
broad home-directory wallet-key discovery followed by automatic payment signing
Attack narrative
The package has no install hook, but its normal runtime wallet resolution scans arbitrary hidden directories under the user home directory for wallet JSON files, extracts private keys, and prefers the newest key. Default client/setup flows use that discovered key for x402 USDC payment signatures and Solana transaction construction against package-controlled API/RPC endpoints. This creates an unconsented path from unrelated local wallet credentials to paid network actions.
Rationale
Broad discovery of unrelated wallet private keys is not required for normal SDK operation and is automatically consumed by default client/wallet flows. The resulting signing capability enables concrete unauthorized fund use, so the scanner's wallet-drain signal is substantiated by source.
Evidence
package.jsondist/index.js~/.blockrun/.session~/.blockrun/.solana-session~/.<hidden-directory>/wallet.json~/.<hidden-directory>/solana-wallet.json~/.brcc/wallet.json
Network endpoints3
blockrun.ai/apisol.blockrun.ai/apisol.blockrun.ai/api/v1/solana/rpc

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/index.js`: `scanWallets()` enumerates every hidden home directory and reads `wallet.json` private keys.
  • `dist/index.js`: `scanSolanaWallets()` similarly reads `solana-wallet.json` and `~/.brcc/wallet.json`.
  • `dist/index.js`: `loadWallet()` and `loadSolanaWallet()` select the newest discovered foreign wallet key.
  • `dist/index.js`: default wallet acquisition calls these loaders before creating a package-owned wallet.
  • `dist/index.js`: payment code signs USDC authorizations/transactions using the selected key and sends requests to BlockRun endpoints.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • `dist/index.js` contains no shell execution, `eval`, VM use, or remote code loading.
  • Key scanning occurs on client/wallet setup rather than module import.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 406 KB of source, external domains: base.meowrpc.com, base.publicnode.com, basescan.org, blockrun.ai, bridge.base.org, mainnet.base.org, pay.coinbase.com, sol.blockrun.ai, www.coinbase.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
1// src/client.ts L2: import { privateKeyToAccount } from "viem/accounts"; L3: ... L33: var USDC_SOLANA = "[redacted]"; L34: var DEFAULT_COMPUTE_UNIT_PRICE_MICROLAMPORTS = 1; L35: var DEFAULT_COMPUTE_UNIT_LIMIT = 8e3; ... L79: resource: { L80: url: options.resourceUrl || "https://blockrun.ai/api/v1/chat/completions", L81: description: options.resourceDescription || "BlockRun AI API call", ... L143: transaction.sign([keypair]); L144: const serializedTx = Buffer.from(transaction.serialize()).toString("base64"); L145: const paymentData = {
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/index.jsView on unpkg · L1
dist/index.cjsView file
140Trigger-reachable chain: manifest.main -> dist/index.cjs L140: var USDC_SOLANA = "[redacted]"; L141: var DEFAULT_COMPUTE_UNIT_PRICE_MICROLAMPORTS = 1; L142: var DEFAULT_COMPUTE_UNIT_LIMIT = 8e3; ... L163: } L164: async function createPaymentPayload(privateKey, fromAddress, recipient, amount, network = "eip155:8453", options = {}) { L165: const now = Math.floor(Date.now() / 1e3); ... L186: resource: { L187: url: options.resourceUrl || "https://blockrun.ai/api/v1/chat/completions", L188: description: options.resourceDescription || "BlockRun AI API call", ... L250: transaction.sign([keypair]); L251: const serializedTx = Buffer.from(transaction.serialize()).toString("base64"); L252: const paymentData = {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg · L140

Findings

2 Critical3 Medium4 Low
CriticalWallet Draindist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings