registry  /  @ibrahim1337/baksen  /  3.0.0

@ibrahim1337/baksen@3.0.0

hadiyapic

AI Security Review

scanned 5d ago · by lpm-firewall-ai

The package is a Windows-only Chromium credential extraction tool shipped as obfuscated V8 bytecode plus a native PE addon. Importing the main module or running the baksen CLI can enumerate/decrypt browser cookies and passwords locally.

Static reason
One or more suspicious static signals were detected.
Trigger
require('@ibrahim1337/baksen') or running the baksen CLI on Windows
Impact
Browser cookies, saved passwords, and Chromium master keys can be extracted/decrypted from local profiles.
Mechanism
obfuscated Node bytecode loads native browser credential decryption addon
Attack narrative
On runtime/import, index.js loads obfuscated bytenode bytecode. The bytecode and native addon implement Chromium profile discovery, master-key extraction, and cookie/password decryption using Windows DPAPI, BCrypt, process debugging, and memory-read APIs. This creates a direct credential-harvesting surface even without a confirmed exfiltration URL.
Rationale
The package’s primary behavior is browser credential harvesting/decryption, with obfuscation and a native debug-elevator addon increasing risk beyond ordinary package-aligned functionality. Lack of an install-time payload or exfil endpoint lowers certainty about automated theft, but the capability and import-time activation justify blocking.
Evidence
package.jsonindex.jscli.jsindex.jscsrc/license.jscbuild/Release/debugelevator.nodeChromium Local StateChromium cookie/password stores
Network endpoints1
raw.githubusercontent.com/tabo1337/SaatPCBKod/refs/heads/main/key.txt

Decision evidence

public snapshot
AI called this Malicious at 92.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js import-time loads bytenode and executes ./index.jsc as package main
  • cli.js describes itself as Chromium Cookie Extractor and forwards to index.js
  • index.jsc contains obfuscated runtime logic for browser cookie/password extraction and decryption
  • build/Release/debugelevator.node exports decryptCookie, decryptPassword, extractMasterKey, extractKey
  • native binary imports CreateProcessW, WaitForDebugEvent, ReadProcessMemory, CryptUnprotectData, BCryptDecrypt
  • src/license.jsc contacts https://raw.githubusercontent.com/tabo1337/SaatPCBKod/refs/heads/main/key.txt for license validation
Evidence against
  • package.json install script is only echo and does not execute payload at install time
  • No confirmed credential exfiltration endpoint found beyond the license-key URL
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 287 B of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.install = echo Prebuilt binary installed successfully
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.install = echo Prebuilt binary installed successfully
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
build/Release/debugelevator.nodeView file
path = build/Release/debugelevator.node kind = native_binary sizeBytes = 729088 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

build/Release/debugelevator.nodeView on unpkg
index.jscView file
path = index.jsc kind = node_bytecode sizeBytes = 3448016 magicHex = [redacted]
High
Ships Node Bytecode

Package ships compiled Node/V8 bytecode artifacts.

index.jscView on unpkg

Findings

2 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips Node Bytecodeindex.jsc
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Native Binarybuild/Release/debugelevator.node
LowNon Install Lifecycle Scripts
LowScripts Present