AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time attack behavior is present, but runtime wallet setup exposes a remote-code-execution primitive through a trusted Rabet postMessage. This is a serious vulnerability/dual-use capability rather than confirmed malware.
Decision evidence
public snapshot- dist/index.esm.js and dist/index.cjs.js contain a reachable `new Function(e.data.message)()` gated only by postMessage origin `https://mobile.rabet.io` and type `RABET/INSTALL`.
- `createConfig` calls wallet availability setup that registers the Rabet message listener at runtime.
- Runtime network/API use includes package-aligned hosts such as `https://api.blux.cc`, `https://cdn2.blux.cc`, Stellar RPC/Horizon hosts, and wallet provider URLs.
- Browser storage holds Blux JWT/recent connection state under `__BLUX__JWT_STORE` and related keys.
- package.json has no preinstall/install/postinstall/prepare lifecycle hooks and no bin entry.
- Clipboard use is UI-aligned: copy address and paste destination address, not crypto address replacement.
- No child_process import, shell execution, filesystem writes, destructive behavior, or credential file harvesting found.
- Network calls are consistent with a Stellar wallet/auth/connect SDK rather than exfiltration to unrelated endpoints.
- `process.env` matches bundled semver debug code, not package credential access.
Source & flagged code
4 flagged · loading sourceSource reads and rewrites clipboard contents matching cryptocurrency wallet addresses.
dist/index.cjs.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.cjs.jsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.cjs.jsView on unpkg · L27Package source references a known benign dynamic code generation pattern.
dist/index.cjs.jsView on unpkg · L34