registry  /  asepxyz  /  1.1.9

asepxyz@1.1.9

A complete WhatsApp Web library — fork of Baileys with @username support, rich messages, LID/PN mapping, TikTok downloader, Turnstile bypass, and more.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package includes a user-invoked Turnstile bypass helper, which is a dangerous dual-use capability, but the shipped code references missing package.json profile.baseurl and provides no concrete host.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the package or calls exported WhatsApp/helper APIs; preinstall runs during npm install
Impact
Dual-use CAPTCHA bypass helper may facilitate abuse if configured, but no install-time compromise or exfiltration is present
Mechanism
WhatsApp Web client library with user-invoked media/network helpers
Rationale
Static inspection does not show malicious install/import behavior, credential theft, persistence, or unconsented control-surface mutation. Warn rather than block because the package exposes a CAPTCHA/Turnstile bypass helper, even though the shipped endpoint configuration appears absent.
Evidence
package.jsonengine-requirements.jslib/index.jslib/Function/Tools/bypass.jslib/Function/Download/tiktok.jslib/Utils/messages-media.jslib/Defaults/connection.jslib/WABinary/constants.jslib/Store/make-in-memory-store.js
Network endpoints5
wss://web.whatsapp.com/ws/chatweb.whatsapp.commmg.whatsapp.netraw.githubusercontent.com/WhiskeySockets/Baileys/master/src/Defaults/baileys-version.jsonweb.whatsapp.com/sw.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json declares preinstall hook node ./engine-requirements.js
  • lib/Function/Tools/bypass.js exports BypassTurnstileMin for Turnstile bypass via fetch
  • lib/Function/Download/tiktok.js exports a TikTok downloader via fetch
  • lib/Utils/messages-media.js uses child_process.exec for ffmpeg thumbnail generation on user media paths
Evidence against
  • engine-requirements.js only checks Node major version and exits if <20; no file/network access
  • lib/index.js import-time behavior is banner printing and exports; no exfiltration or payload loading found
  • Network use is aligned with WhatsApp client/media behavior or explicit helper functions
  • Scanner secret hits in WABinary/constants.js are protocol token strings, not embedded credentials
  • No AI-agent control-surface writes, persistence, credential harvesting, or install-time mutation found
Behavioral surface
Source
ChildProcessCryptoEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 148 file(s), 5.87 MB of source, external domains: call.whatsapp.com, mmg.whatsapp.net, raw.githubusercontent.com, wa.me, web.whatsapp.com, www.whatsapp.com
Oversized source lightweight scan
WAProto/E2E/E2E.js3.81 MB file, sampled 256 KB
ChildProcess
WAProto/HistorySync/HistorySync.js4.65 MB file, sampled 256 KB
ChildProcess
WAProto/MdStorageMsgRowOpaqueData/MdStorageMsgRowOpaqueData.js3.93 MB file, sampled 256 KB
ChildProcess
WAProto/Web/Web.js4.35 MB file, sampled 256 KB
ChildProcess

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.preinstall = node ./engine-requirements.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
lib/WABinary/constants.jsView file
602patternName = google_api_key severity = high line = 602 matchedText = "AIzaSyD...Lk",
High
High Secret

Package contains a high-severity secret pattern.

lib/WABinary/constants.jsView on unpkg · L602
602patternName = google_api_key severity = high line = 602 matchedText = "AIzaSyD...Lk",
High
Secret Pattern

Google API key in lib/WABinary/constants.js

lib/WABinary/constants.jsView on unpkg · L602
lib/Utils/messages-media.jsView file
200try { L201: const { default: decoder } = await eval("import('audio-decode')"); L202: let audioData;
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/Utils/messages-media.jsView on unpkg · L200
lib/Utils/crypto.jsView file
4createCipheriv: createCipheriv, L5: createDecipheriv: createDecipheriv, L6: createHash: createHash, ... L17: return { L18: private: Buffer.from(privKey), L19: public: Buffer.from(pubKey.slice(1)),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/Utils/crypto.jsView on unpkg · L4
WAProto/HistorySync/HistorySync.jsView file
path = WAProto/HistorySync/HistorySync.js kind = oversized_source_file sizeBytes = 4879942 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

WAProto/HistorySync/HistorySync.jsView on unpkg

Findings

4 High2 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHigh Secretlib/WABinary/constants.js
HighOversized Source FileWAProto/HistorySync/HistorySync.js
HighSecret Patternlib/WABinary/constants.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvallib/Utils/messages-media.js
LowWeak Cryptolib/Utils/crypto.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings