registry  /  @bluxcc/core  /  0.2.13

@bluxcc/core@0.2.13

Blux is a wallet infra for the Stellar network

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No install-time attack behavior is present, but runtime wallet setup exposes a remote-code-execution primitive through a trusted Rabet postMessage. This is a serious vulnerability/dual-use capability rather than confirmed malware.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application calls `createConfig` and a page receives `RABET/INSTALL` postMessage from `https://mobile.rabet.io`.
Impact
Code from the Rabet origin can execute in the consuming dApp page context.
Mechanism
remote postMessage string executed via `new Function`
Rationale
Static source inspection does not confirm malware, but the Rabet postMessage `new Function` path is a real reachable runtime RCE risk. Treat as a warning/critical vulnerability rather than publish-block malware.
Evidence
package.jsondist/index.esm.jsdist/index.cjs.jsREADME.md
Network endpoints4
mobile.rabet.ioapi.blux.cccdn2.blux.cc/core-assets/logos2.json.gzcdn2.blux.cc/core-assets/asset-meta.json.gz

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • dist/index.esm.js and dist/index.cjs.js contain a reachable `new Function(e.data.message)()` gated only by postMessage origin `https://mobile.rabet.io` and type `RABET/INSTALL`.
  • `createConfig` calls wallet availability setup that registers the Rabet message listener at runtime.
  • Runtime network/API use includes package-aligned hosts such as `https://api.blux.cc`, `https://cdn2.blux.cc`, Stellar RPC/Horizon hosts, and wallet provider URLs.
  • Browser storage holds Blux JWT/recent connection state under `__BLUX__JWT_STORE` and related keys.
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle hooks and no bin entry.
  • Clipboard use is UI-aligned: copy address and paste destination address, not crypto address replacement.
  • No child_process import, shell execution, filesystem writes, destructive behavior, or credential file harvesting found.
  • Network calls are consistent with a Stellar wallet/auth/connect SDK rather than exfiltration to unrelated endpoints.
  • `process.env` matches bundled semver debug code, not package credential access.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.65 MB of source, external domains: albedo.link, api.blux.cc, beta.herewallet.app, bitget.com, blux.cc, buy.moonpay.com, cdn.blux.cc, cdn2.blux.cc, dev.suite.sldev.cz, feross.org, freighter.app, friendbot-futurenet.stellar.org, friendbot.stellar.org, futurenet.stellarchain.io, github.com, h4n.app, horizon-futurenet.stellar.org, horizon-testnet.stellar.org, horizon.stellar.org, hot-labs.org, klever.io, lobstr.co, lumenscan.io, mainnet.sorobanrpc.com, mobile.rabet.io, my.herewallet.app, node.trezor.io, onekey.so, rabet.io, rpc-futurenet.stellar.org, soroban-testnet.stellar.org, steexp.com, stellar.expert, stellarchain.io, suite.trezor.io, t.me, tailwindcss.com, testnet.lumenscan.io, testnet.steexp.com, testnet.stellarchain.io, tgapp-dev.herewallet.app, tgapp.herewallet.app, trezor.io, walletconnect.com, www.fordefi.com, www.hanawallet.io, www.ledger.com, www.mycactus.com, www.w3.org, xbull.app

Source & flagged code

4 flagged · loading source
dist/index.cjs.jsView file
1"use strict";var e=require("@stellar/stellar-sdk"),t=require("zustand"),n=require("zustand/vanilla"),r=require("@albedo-link/intent"),i=require("@lobstrco/signer-extension-api"),o=... L2: /*! ... L7: /*! scure-base - MIT License (c) 2022 Paul Miller (paulmillr.com) */ L8: Object.defineProperty(e,"__esModule",{value:!0}),e.bytes=e.stringToBytes=e.str=e.bytesToString=e.hex=e.utf8=e.bech32m=e.bech32=e.base58check=e.createBase58check=e.base58xmr=e.base5... L9: /*! ... L16: /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ L17: Object.defineProperty(xn,"__esModule",{value:!0}),xn.notImplemented=xn.bitMask=void 0,xn.isBytes=r,xn.abytes=i,xn.abool=function(e,t){if("boolean"!=typeof t)throw new Error(e+" boo... L18: /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ ... L34: */function Hn(){return $n||($n=1,function(e){const t=function(){if(Rn)return Dn;Rn=1,Dn.byteLength=function(e){var t=o(e),n=t[0],r=t[1];return 3*(n+r)/4-r},Dn.toByteArray=function(... L35: /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */function Vn(){if(qn)return Pn.exports;qn=1;var e=65536,t=4294967295;var n=(Wn||(Wn=1,function(e,...
Critical
Clipboard Crypto Hijack

Source reads and rewrites clipboard contents matching cryptocurrency wallet addresses.

dist/index.cjs.jsView on unpkg · L1
Trigger-reachable chain: manifest.main -> dist/index.cjs.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjs.jsView on unpkg
27const t=bn(),n=un(),r=Sn(),i=Nn(),o=Cn(),a=En(),s=Ln(),c=An(),u=BigInt("[redacted]"),l=BigInt("196811613767075059... L28: /*! ieee754. BSD-3-Clause License. Feross Aboukhadijeh <https://feross.org/opensource> */function Kn(){return zn||(zn=1,Xn.read=function(e,t,n,r,i){var o,a,s=8*i-r-1,c=(1<<s)-1,u=c... L29: /*! ... L34: */function Hn(){return $n||($n=1,function(e){const t=function(){if(Rn)return Dn;Rn=1,Dn.byteLength=function(e){var t=o(e),n=t[0],r=t[1];return 3*(n+r)/4-r},Dn.toByteArray=function(... L35: /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */function Vn(){if(qn)return Pn.exports;qn=1;var e=65536,t=4294967295;var n=(Wn||(Wn=1,function(e,...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.cjs.jsView on unpkg · L27
34*/function Hn(){return $n||($n=1,function(e){const t=function(){if(Rn)return Dn;Rn=1,Dn.byteLength=function(e){var t=o(e),n=t[0],r=t[1];return 3*(n+r)/4-r},Dn.toByteArray=function(... L35: /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */function Vn(){if(qn)return Pn.exports;qn=1;var e=65536,t=4294967295;var n=(Wn||(Wn=1,function(e,...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.cjs.jsView on unpkg · L34

Findings

2 Critical2 High4 Medium5 Low
CriticalClipboard Crypto Hijackdist/index.cjs.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs.js
HighChild Process
HighSame File Env Network Executiondist/index.cjs.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.cjs.js
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings