registry  /  abuden3  /  2.0.0

abuden3@2.0.0

Republished package

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Opening the package's HTML entrypoint executes an unrelated third-party remote script and starts a browser service-worker proxy. The proxy can relay browser requests, including their headers and bodies, through a remote WebSocket transport.

Static reason
One or more suspicious static signals were detected.
Trigger
A user opens or serves `index.html` in a browser.
Impact
Remote infrastructure can receive proxied browsing traffic within the proxy route scope; the externally loaded script executes with the page's origin privileges.
Mechanism
runtime-loaded remote script plus service-worker request proxy
Attack narrative
The package is a browser application, not a normal library. Its entrypoint loads an opaque third-party script immediately, then an obfuscated bundle invokes a controller bootstrap. That bootstrap installs a service worker which intercepts selected fetches and forwards request metadata and body through a configured WebSocket proxy at `21baseballacademy.com`. This creates a concrete, non-package-aligned remote execution and traffic-relay surface when the app is opened, though it does not execute during npm install.
Rationale
No install-time behavior was found, but the shipped browser entrypoint loads a remote third-party script and configures an opaque proxied browsing stack that can handle request data. These behaviors are concrete enough to treat the package as malicious rather than benign bundled application code.
Evidence
package.jsonindex.htmlassets/index-CJm_PfL2.jsassets/boot-CVPGRFHh.jsj6k3y8.jsct1tl/jmqwjq.jsassets/ChatPage-zoA8Z6RX.jsct1tl/csbzam.jsbfjdx/757lr8.jsbfjdx/w7m632.wasm
Network endpoints3
c.vipersfutbol.com/script.jswss://21baseballacademy.com/fairs/www.googletagmanager.com/gtag/js?id=G-0VL3ZSBXDH

Decision evidence

public snapshot
AI called this Malicious at 91.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.html` loads third-party script `https://c.vipersfutbol.com/script.js` on page load.
  • `assets/boot-CVPGRFHh.js` registers a service worker and configures a proxy transport to `wss://21baseballacademy.com/fairs/`.
  • `j6k3y8.js` routes matching browser fetches through `ct1tl/jmqwjq.js`; that worker forwards request URL, headers, and body to the controller.
  • `assets/index-CJm_PfL2.js` dynamically imports and invokes `bootController()` at runtime.
  • `assets/ChatPage-zoA8Z6RX.js` is deliberately obfuscated, obscuring the web application's behavior.
Evidence against
  • `package.json` has no `scripts`, lifecycle hooks, or `bin` entry.
  • The manifest main is `index.html`; npm installation alone does not execute the browser assets.
  • No Node filesystem, subprocess, credential-environment harvesting, or install-time mutation chain was confirmed.
  • The `.wasm`, proxy runtime, and dynamic require are used by the browser proxy stack rather than a demonstrated native payload.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 24 file(s), 7.27 MB of source, external domains: 127.0.0.1, aomediacodec.github.io, cdn.jsdelivr.net, cloud-api.livekit.io, curl.se, emscripten.org, fingerprint.com, github.com, m1.openfpcdn.io, react.dev, sj-cache.invalid, twemoji.maxcdn.com, www.w3.org, www.zlib.net

Source & flagged code

7 flagged · loading source
assets/proxy-runtime-1NyFshf9.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Secret Pattern

AWS access key ID in assets/proxy-runtime-1NyFshf9.js

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
bfjdx/757lr8.jsView file
17L18: //# sourceURL=${A}`)();n=c,o=l}else n=g.z$,o=g.Mt;r.construct&&(l.construct=function(e,t,i){let n,s=!1,a={fn:e,this:null,args:t,newTarget:i,return:e=>{s=!0,n=e},call:()=>(s=!0,n=o(... L19: //# sourceURL=${r.url.href}`),n}return o.body;case"style":return(0,i.sM)(await o.text(),e.context,r.meta);case"sharedworker":case"worker":return(0,i.iP)(new Uint8Array(await o.arra...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bfjdx/757lr8.jsView on unpkg · L17
assets/ChatPage-zoA8Z6RX.jsView file
1(function(_0x31bba3,_0x379132){const _0x159e7b={_0x26fc34:0x358,_0x56fc24:0x70c,_0x216b69:0x578,_0x22d6fc:0x60b,_0x33af41:0x2a6,_0x514b56:0x7f9,_0x4ccc4c:0x9d1,_0x35dd24:0xfdf,_0x1...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

assets/ChatPage-zoA8Z6RX.jsView on unpkg · L1
bfjdx/w7m632.wasmView file
path = bfjdx/w7m632.wasm kind = wasm_module sizeBytes = 586279 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

bfjdx/w7m632.wasmView on unpkg
assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
assets/livekit-C0E_jLSz.jsView file
13patternName = generic_password severity = medium line = 13 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Hardcoded password in assets/livekit-C0E_jLSz.js

assets/livekit-C0E_jLSz.jsView on unpkg · L13

Findings

2 Critical3 High6 Medium4 Low
CriticalCritical Secretassets/proxy-runtime-1NyFshf9.js
CriticalSecret Patternassets/proxy-runtime-1NyFshf9.js
HighObfuscated Payload Loaderassets/ChatPage-zoA8Z6RX.js
HighObfuscated
HighShips High Entropy Blobassets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumDynamic Requirebfjdx/757lr8.js
MediumNetwork
MediumProtestware
MediumShips Wasm Modulebfjdx/w7m632.wasm
MediumStructural Risk Force Deep Review
MediumSecret Patternassets/livekit-C0E_jLSz.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License