registry  /  browserstack-node-sdk  /  1.63.2

browserstack-node-sdk@1.63.2

Node SDK for browserstack selenium-webdriver tests

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The explicit setup CLI can persist an update action in the consuming project's `package.json`. The bundled Chrome extension has broad page permissions if the AI SDK browser-extension path is activated; no unconsented install-time execution was found.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `npx setup` or invokes SDK functionality that activates the bundled browser extension.
Impact
Future dependency installs may update this SDK; activated extension code can access matching browser pages.
Mechanism
Project postinstall mutation and broad-permission bundled Chrome extension.
Rationale
The package shows no concrete malicious chain or unconsented install-time foreign control-surface mutation. Warn because explicit setup persists automatic updates in a consumer project and the bundled extension has broad page permissions behind obfuscated code.
Evidence
package.jsonREADME.mdsrc/bin/setup.jssrc/ai-sdk-node/bundle.jssrc/ai-sdk-node/extensions/chrome_extension.crxbrowserstack.yml
Network endpoints4
browserstack.comaccessibility.browserstack.com/apicollector-observability.browserstack.comupload-observability.browserstack.com

Decision evidence

public snapshot
AI called this Suspicious at 81.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/bin/setup.js` runs only as explicit `setup` CLI but writes the consumer `package.json`.
  • That setup path adds a `postinstall` command containing `npm update browserstack-node-sdk`.
  • `src/ai-sdk-node/extensions/chrome_extension.crx` embeds a Chrome extension with `<all_urls>` host access.
  • The extension includes background and content scripts, increasing browser-page access when its AI SDK path is used.
  • Core package and CLI sources are heavily obfuscated, limiting straightforward auditability.
Evidence against
  • `package.json` has no npm `preinstall`, `install`, or `postinstall` lifecycle hook.
  • README.md documents `npx setup`, so the project mutation is user-invoked rather than install-time.
  • Observed endpoints are BrowserStack/Percy/observability service domains consistent with SDK functionality.
  • No inspected source established credential exfiltration, remote payload download-and-execute, or destructive behavior.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 234 file(s), 4.76 MB of source, external domains: accessibility.browserstack.com, api-cloud-devtestops.bsstag.com, api-cloud.browserstack.com, api-preprod.bsstag.com, api.browserstack.com, apidevtestops.bsstag.com, app-automate-devtestops.bsstag.com, app-automate-preprod.bsstag.com, app-automate.browserstack.com, automate-devtestops.bsstag.com, automate-preprod.bsstag.com, automate.browserstack.com, automation-preprod.bsstag.com, automation.browserstack.com, browserstack.com, collector-observability-devtestops.bsstag.com, collector-observability-preprod.bsstag.com, collector-observability.browserstack.com, eds.browserstack.com, edsstaging.bsstag.com, github.com, graph.microsoft.com, grid-devhst.bsstag.com, grid-preprod.bsstag.com, grid.browserstack.com, hub-devtestops.bsstag.com, hub-preprod.bsstag.com, hub-use-only.browserstack.com, hub.browserstack.com, nroujxly-hub.browserstack-ats.com, observability-devtestops.bsstag.com, tcg-preprod.bsstag.com, tcg.browserstack.com, tcg.bsstag.com, upload-observability-devtestops-ssi.bsstag.com, upload-observability-preprod.bsstag.com, upload-observability.browserstack.com, www.browserstack.com, www.googleapis.com, your-jira.yourdomain.com

Source & flagged code

13 flagged · loading source
ats/src/templates/hubharesources/bitnami-kafka.yamlView file
119patternName = generic_password severity = medium line = 119 matchedText = system-u...w=="
Medium
Secret Pattern

Package contains a possible secret pattern.

ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L119
120patternName = generic_password severity = medium line = 120 matchedText = inter-br...w=="
Medium
Secret Pattern

Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml

ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L120
121patternName = generic_password severity = medium line = 121 matchedText = controll...g=="
Medium
Secret Pattern

Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml

ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L121
167patternName = generic_password severity = medium line = 167 matchedText = listener...er";
Medium
Secret Pattern

Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml

ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L167
189patternName = generic_password severity = medium line = 189 matchedText = listener...-0";
Medium
Secret Pattern

Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml

ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L189
190patternName = generic_password severity = medium line = 190 matchedText = listener...er";
Medium
Secret Pattern

Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml

ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L190
191patternName = generic_password severity = medium line = 191 matchedText = listener...er";
Medium
Secret Pattern

Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml

ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L191
273patternName = generic_password severity = medium line = 273 matchedText = local pa...ue}"
Medium
Secret Pattern

Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml

ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L273
ats/src/utils/utilityMethods.js#virtual:normalized:round1View file
1const a37_0xbf08e5=a37_0x40bb;(function(_0x424a37,_0x40af1a){const _0x28d774=a37_0x40bb,_0x2f1c52=_0x424a37();while(!![]){try{const _0x1e5996=parseInt(_0x28d774(0x138))/0x1*(parseI...
High
Child Process

Package source references child process execution.

ats/src/utils/utilityMethods.js#virtual:normalized:round1View on unpkg · L1
generated/sdk_pb.jsView file
13L14: var jspb = require('google-protobuf'); L15: var goog = jspb;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

generated/sdk_pb.jsView on unpkg · L13
src/helpers/helper.jsView file
1const a138_0x5c5c36=a138_0x14f7;function a138_0x1299(){const _0x2746b9=['gtnNl','nlWrx','OJxxu','JgpsY','qqWAU','LgDdO','sNbyW','-browserstack','defineProperty','faYld','getPwChann...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/helpers/helper.jsView on unpkg · L1
ats/src/config/constants.jsView file
1const a22_0x1abd31=a22_0x3e1b;(function(_0x5887dc,_0x29e6ad){const _0x23541a=a22_0x3e1b,_0x248794=_0x5887dc();while(!![]){try{const _0x3a7811=parseInt(_0x23541a(0x214))/0x1+parseIn...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

ats/src/config/constants.jsView on unpkg · L1
src/ai-sdk-node/extensions/chrome_extension.crxView file
path = src/ai-sdk-node/extensions/chrome_extension.crx kind = high_entropy_blob sizeBytes = 53660 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/ai-sdk-node/extensions/chrome_extension.crxView on unpkg

Findings

6 High12 Medium4 Low
HighChild Processats/src/utils/utilityMethods.js#virtual:normalized:round1
HighShell
HighSame File Env Network Executionsrc/helpers/helper.js
HighObfuscated Payload Loaderats/src/config/constants.js
HighObfuscated
HighShips High Entropy Blobsrc/ai-sdk-node/extensions/chrome_extension.crx
MediumSecret Patternats/src/templates/hubharesources/bitnami-kafka.yaml
MediumDynamic Requiregenerated/sdk_pb.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternats/src/templates/hubharesources/bitnami-kafka.yaml
MediumSecret Patternats/src/templates/hubharesources/bitnami-kafka.yaml
MediumSecret Patternats/src/templates/hubharesources/bitnami-kafka.yaml
MediumSecret Patternats/src/templates/hubharesources/bitnami-kafka.yaml
MediumSecret Patternats/src/templates/hubharesources/bitnami-kafka.yaml
MediumSecret Patternats/src/templates/hubharesources/bitnami-kafka.yaml
MediumSecret Patternats/src/templates/hubharesources/bitnami-kafka.yaml
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License