registry  /  @bluxcc/core  /  0.2.14

@bluxcc/core@0.2.14

Blux is a wallet infra for the Stellar network

AI Security Review

scanned 7h ago · by lpm-firewall-ai

Runtime wallet discovery installs a browser message listener that accepts a specific third-party origin and dynamically evaluates its message body. This creates remote code execution in the host application's browser context if that origin or its delivered content is compromised.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
An application calls `createConfig`, which starts wallet discovery.
Impact
Arbitrary JavaScript can run in the integrating application's browser origin.
Mechanism
Cross-origin message payload evaluated with `new Function`
Rationale
The package is not confirmed malware, but it contains a concrete, reachable remote code execution primitive in its browser runtime. The scanner's clipboard, environment, and process hints are otherwise explained by normal wallet UI and bundled dependency code.
Evidence
package.jsonREADME.mddist/index.cjs.jsdist/index.esm.jsdist/types.d.tsdist/utils/api.d.tsdist/utils/initializeWalletConnect.d.ts
Network endpoints4
mobile.rabet.ioapi.blux.cccdn2.blux.cc/core-assets/asset-meta.json.gzcdn2.blux.cc/core-assets/logos2.json.gz

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/index.cjs.js` registers a `message` handler accepting `RABET/INSTALL` from `https://mobile.rabet.io`.
  • That handler executes `e.data.message` with `new Function(...)` before removing itself.
  • The handler is reached during wallet discovery invoked by `createConfig`, not only by an explicit wallet-install command.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `bin` hook.
  • Clipboard calls are user UI actions: copy output and paste a recipient address.
  • No `child_process` import, filesystem harvesting, agent-config writes, or shell execution was found.
  • `process.env` and `.exec()` matches occur in bundled semver/regex code, not package execution logic.
  • Network requests support documented wallet/auth/asset features (`api.blux.cc` and Blux CDN).
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.65 MB of source, external domains: albedo.link, api.blux.cc, beta.herewallet.app, bitget.com, blux.cc, buy.moonpay.com, cdn.blux.cc, cdn2.blux.cc, dev.suite.sldev.cz, feross.org, freighter.app, friendbot-futurenet.stellar.org, friendbot.stellar.org, futurenet.stellarchain.io, github.com, h4n.app, horizon-futurenet.stellar.org, horizon-testnet.stellar.org, horizon.stellar.org, hot-labs.org, klever.io, lobstr.co, lumenscan.io, mainnet.sorobanrpc.com, mobile.rabet.io, my.herewallet.app, node.trezor.io, onekey.so, rabet.io, rpc-futurenet.stellar.org, soroban-testnet.stellar.org, steexp.com, stellar.expert, stellarchain.io, suite.trezor.io, t.me, tailwindcss.com, testnet.lumenscan.io, testnet.steexp.com, testnet.stellarchain.io, tgapp-dev.herewallet.app, tgapp.herewallet.app, trezor.io, walletconnect.com, www.fordefi.com, www.hanawallet.io, www.ledger.com, www.mycactus.com, www.w3.org, xbull.app

Source & flagged code

4 flagged · loading source
dist/index.cjs.jsView file
1"use strict";var e=require("@stellar/stellar-sdk"),t=require("zustand"),n=require("zustand/vanilla"),r=require("@albedo-link/intent"),i=require("@lobstrco/signer-extension-api"),o=... L2: /*! ... L7: /*! scure-base - MIT License (c) 2022 Paul Miller (paulmillr.com) */ L8: Object.defineProperty(e,"__esModule",{value:!0}),e.bytes=e.stringToBytes=e.str=e.bytesToString=e.hex=e.utf8=e.bech32m=e.bech32=e.base58check=e.createBase58check=e.base58xmr=e.base5... L9: /*! ... L16: /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ L17: Object.defineProperty(xn,"__esModule",{value:!0}),xn.notImplemented=xn.bitMask=void 0,xn.isBytes=r,xn.abytes=i,xn.abool=function(e,t){if("boolean"!=typeof t)throw new Error(e+" boo... L18: /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ ... L34: */function Hn(){return $n||($n=1,function(e){const t=function(){if(Rn)return Dn;Rn=1,Dn.byteLength=function(e){var t=o(e),n=t[0],r=t[1];return 3*(n+r)/4-r},Dn.toByteArray=function(... L35: /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */function Vn(){if(qn)return Pn.exports;qn=1;var e=65536,t=4294967295;var n=(Wn||(Wn=1,function(e,...
Critical
Clipboard Crypto Hijack

Source reads and rewrites clipboard contents matching cryptocurrency wallet addresses.

dist/index.cjs.jsView on unpkg · L1
Trigger-reachable chain: manifest.main -> dist/index.cjs.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjs.jsView on unpkg
27const t=bn(),n=un(),r=Sn(),i=Nn(),o=Cn(),a=En(),s=Ln(),c=An(),u=BigInt("[redacted]"),l=BigInt("196811613767075059... L28: /*! ieee754. BSD-3-Clause License. Feross Aboukhadijeh <https://feross.org/opensource> */function Kn(){return zn||(zn=1,Xn.read=function(e,t,n,r,i){var o,a,s=8*i-r-1,c=(1<<s)-1,u=c... L29: /*! ... L34: */function Hn(){return $n||($n=1,function(e){const t=function(){if(Rn)return Dn;Rn=1,Dn.byteLength=function(e){var t=o(e),n=t[0],r=t[1];return 3*(n+r)/4-r},Dn.toByteArray=function(... L35: /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */function Vn(){if(qn)return Pn.exports;qn=1;var e=65536,t=4294967295;var n=(Wn||(Wn=1,function(e,...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.cjs.jsView on unpkg · L27
34*/function Hn(){return $n||($n=1,function(e){const t=function(){if(Rn)return Dn;Rn=1,Dn.byteLength=function(e){var t=o(e),n=t[0],r=t[1];return 3*(n+r)/4-r},Dn.toByteArray=function(... L35: /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */function Vn(){if(qn)return Pn.exports;qn=1;var e=65536,t=4294967295;var n=(Wn||(Wn=1,function(e,...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.cjs.jsView on unpkg · L34

Findings

2 Critical2 High4 Medium5 Low
CriticalClipboard Crypto Hijackdist/index.cjs.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs.js
HighChild Process
HighSame File Env Network Executiondist/index.cjs.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.cjs.js
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings