AI Security Review
scanned 5d ago · by lpm-firewall-aiThe package is a Windows-only Chromium credential extraction tool shipped as bytecode plus a native addon. It can read/decrypt browser cookies and saved passwords and write them to local output files.
Static reason
One or more suspicious static signals were detected.
Trigger
Running the baksen CLI or requiring index.js with package entry behavior
Impact
Disclosure of browser session cookies and saved passwords from Chrome, Brave, Edge, Opera, and Opera GX
Mechanism
Chromium cookie/password harvesting via Local State keys, SQLite browser databases, debug/process APIs, and native decryption
Attack narrative
On user invocation, cli.js loads index.js, which loads hidden bytenode bytecode. The bytecode locates Chromium-family browsers, kills browser processes, reads Local State and SQLite cookie/password stores, obtains/decrypts master/app-bound keys using the native Windows addon, then writes harvested cookies and passwords to local files. The native addon contains process debugging and Windows crypto APIs used to bypass Chromium protections.
Rationale
Source and string inspection confirms a purpose-built browser credential harvesting capability, not merely benign package functionality. Even without install-time execution or observed exfiltration, extracting cookies and saved passwords is concrete malicious behavior for an npm package firewall.
Evidence
package.jsoncli.jsindex.jsindex.jscsrc/license.jscbuild/Release/debugelevator.nodeLocal StateNetwork/CookiesLogin Data_cookies/*.txt_passwords/*.txt.baksen_cache
Network endpoints1
raw.githubusercontent.com/tabo1337/SaatPCBKod/refs/heads/main/key.txt
OSV Corroboration
OpenSSF/OSVAdvisory
MAL-2026-6575
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @ibrahim1337/baksen (npm)
Details
Package @ibrahim1337/baksen ships a Windows x64 infostealer toolkit that targets Chromium-family browsers (Chrome, Brave, Edge, Opera, Opera GX) on the machine running the CLI. The JS layer enumerates browser profile directories and reads the 'Local State', 'Cookies', and 'Login Data' SQLite databases, executing queries such as `SELECT origin_url, username_value, password_value FROM logins` and `SELECT host_key, name, encrypted_value,... FROM cookies`. It extracts the AES master key and the Chrome v20 `os_crypt.app_bound_encrypted_key` from Local State, then decrypts cookies and saved passwords with AES-256-GCM and writes the plaintext credentials to local `_cookies/` and `_passwords/` directories. A bundled opaque Windows native addon `build/Release/debugelevator.node` (declared in package.json `files`, `os: win32`, `cpu: x64`) performs the App-Bound key elevation — the documented technique used by recent Chromium infostealers to bypass Chrome v20 encryption. Strings inside the bundle include 'DebugElevator - scanning all detected browsers', 'Launching... browser(s) in parallel for App-Bound key', and 'APP-KEY'. A license module fetches an allowlist of valid keys from `https://raw.githubusercontent.com/tabo1337/SaatPCBKod/refs/heads/main/key.txt` (an account unrelated to the publisher) and caches the result at `~/.baksen_cache`, indicating a sold/distributed hacktool model. Package metadata is placeholder ('hadiyapic' description, `github.com/yourusername/baksen` repository URL) with no legitimate provenance. Installing and running this package on a Windows host with any of the listed browsers results in extraction of saved passwords and session cookies — credential theft against the machine running it.
Decision evidence
public snapshotAI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
- index.js loads bytenode bytecode from index.jsc, hiding main logic from normal source review.
- cli.js labels package as a Chromium Cookie Extractor and immediately requires index.js.
- index.jsc strings show browser discovery, taskkill, Local State access, Cookies/Login Data SQLite queries, decryptCookie/decryptPassword, and output of cookies/passwords.
- build/Release/debugelevator.node imports Windows debug/process and crypto APIs: CreateProcessW, WaitForDebugEvent, ReadProcessMemory, CryptUnprotectData, BCryptDecrypt.
- src/license.jsc contacts a GitHub raw URL for license keys and writes a user-home cache.
Evidence against
- package.json install script is only an echo and does not run the payload at install time.
- No evidence of automatic remote exfiltration of harvested cookies/passwords; output appears local files/console.
- Network endpoint observed is license validation, not credential upload.
Behavioral surface
Trivial
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.install = echo Prebuilt binary installed successfully
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.install = echo Prebuilt binary installed successfully
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbuild/Release/debugelevator.nodeView file
•path = build/Release/debugelevator.node
kind = native_binary
sizeBytes = 729088
magicHex = [redacted]
Medium
Ships Native Binary
Package ships native binary artifacts.
build/Release/debugelevator.nodeView on unpkgindex.jscView file
•path = index.jsc
kind = node_bytecode
sizeBytes = 49808
magicHex = [redacted]
High
Findings
2 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips Node Bytecodeindex.jsc
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Native Binarybuild/Release/debugelevator.node
LowNon Install Lifecycle Scripts
LowScripts Present