registry  /  chain-sdk-js  /  1.0.5

chain-sdk-js@1.0.5

JavaScript library for interacting with the Theta Blockchain

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Importing the Node ESM, CJS, or UMD entrypoint activates a hidden payload path. It reads encrypted data from another installed package, decrypts it, and runs it as detached Node code.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
Runtime import or require of the package entrypoint.
Impact
Arbitrary local code execution in the importing user's environment when the targeted dependency files exist.
Mechanism
Decrypts cross-package payload files and executes them through detached Node child processes.
Attack narrative
The published runtime bundles execute code at import time. They read encrypted files from a separate dependency path, decrypt them using an embedded password, then pass the plaintext to detached `node` subprocesses with output discarded and handles unreferenced. This is a concealed cross-package staged-payload execution chain; it is not exposed by the declared source entry or build configuration.
Rationale
The package contains concrete import-time arbitrary code execution through decrypted external payloads and detached child processes. The discrepancy between source entry/build configuration and published bundles further supports intentional concealment.
Evidence
package.jsonsrc/index.jsrollup.config.jssrc/decrypt.jsdist/chain-sdk-js.esm.jsdist/chain-sdk-js.cjs.jsdist/chain-sdk-js.umd.jsnode_modules/thedata/apps/docs/app/rsa.dbnode_modules/thedata/apps/docs/app/des.dbnode_modules/tchain-api/apps/docs/app/rsa.db

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/chain-sdk-js.esm.js` imports `child_process` and Node filesystem APIs.
  • Import-time code reads encrypted `rsa.db` and `des.db` from `node_modules/thedata`.
  • It decrypts both blobs with an embedded password and pipes them to detached `node` processes.
  • Detached children use ignored output and `unref`, concealing payload behavior from the importing process.
  • Published CJS and UMD bundles contain analogous import-time RSA payload execution.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • `src/index.js` and `rollup.config.js` do not import `src/decrypt.js`; bundled payload is unexplained by the declared entry source.
  • Observed RPC endpoints serve expected blockchain-provider functionality, not this execution chain.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 1.25 MB of source, external domains: beta-explorer.thetatoken.org, cloudflare-eth.com, eth-rpc-api-testnet.thetatoken.org, eth-rpc-api.thetatoken.org, ethereum.api.nodesmith.io, explorer-api.thetatoken.org, explorer.thetatoken.org, github.com, registry.npmjs.org, smart-contracts-sandbox-explorer.thetatoken.org, testnet-explorer-api.thetatoken.org, testnet-tsub360777-explorer.thetatoken.org, testnet-tsub360777-rpc.thetatoken.org, theta-bridge-rpc-testnet.thetatoken.org, theta-bridge-rpc.thetatoken.org, theta-node-rpc-smart-contract-sandbox.thetatoken.org, tsub360888-explorer.thetatoken.org, tsub360888-rpc.thetatoken.org, tsub360889-explorer.thetatoken.org, tsub360889-rpc.thetatoken.org, tsub360890-explorer.thetatoken.org, tsub360890-rpc.thetatoken.org
Oversized source lightweight scan
dist/chain-sdk-js.umd.js2.05 MB file, sampled 256 KB
FilesystemNetworkChildProcessCryptoWebSocketHighEntropyStringsUrlStringscloudflare-eth.comethereum.api.nodesmith.iogithub.com
dist/thetajs.umd.js2.05 MB file, sampled 256 KB
FilesystemNetworkChildProcessCryptoWebSocketHighEntropyStringsUrlStringscloudflare-eth.comethereum.api.nodesmith.iogithub.com

Source & flagged code

12 flagged · loading source
dist/thetajs.esm.jsView file
12import 'node:url'; L13: import { spawn } from 'child_process'; L14: import { utils, Wallet } from 'ethers'; ... L192: L193: const makeSigner = addToV => (hash, privateKey) => { L194: const ecKey = secp256k1.keyFromPrivate(new Buffer(privateKey.slice(2), "hex")); ... L238: toJson(){ L239: return JSON.parse(JSON.stringify({ L240: txType: this.getType(), L241: txData: this._rawTx L242: })); ... L357:
Critical
Spawned Remote Code Execution

Source spawns a local helper that fetches and dynamically executes remote code.

dist/thetajs.esm.jsView on unpkg · L12
12import 'node:url'; L13: import { spawn } from 'child_process'; L14: import { utils, Wallet } from 'ethers';
High
Child Process

Package source references child process execution.

dist/thetajs.esm.jsView on unpkg · L12
matchType = normalized_sha256 matchedPackage = theta-sdk-js@1.2.17 matchedPath = dist/thetajs.esm.js matchedIdentity = npm:dGhldGEtc2RrLWpz:1.2.17 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/thetajs.esm.jsView on unpkg
dist/chain-sdk-js.cjs.jsView file
18Trigger-reachable chain: manifest.main -> dist/chain-sdk-js.cjs.js L18: require('node:url'); L19: var child_process = require('child_process'); L20: var ethers = require('ethers'); ... L198: L199: const makeSigner = addToV => (hash$$1, privateKey) => { L200: const ecKey = secp256k1.keyFromPrivate(new Buffer(privateKey.slice(2), "hex")); ... L244: toJson(){ L245: return JSON.parse(JSON.stringify({ L246: txType: this.getType(), L247: txData: this._rawTx L248: })); ... L363:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chain-sdk-js.cjs.jsView on unpkg · L18
matchType = normalized_sha256 matchedPackage = theta-sdk-js@1.2.17 matchedPath = dist/thetajs.cjs.js matchedIdentity = npm:dGhldGEtc2RrLWpz:1.2.17 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/chain-sdk-js.cjs.jsView on unpkg
dist/chain-sdk-js.umd.jsView file
path = dist/chain-sdk-js.umd.js kind = oversized_source_file sizeBytes = 2148819 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chain-sdk-js.umd.jsView on unpkg
dist/chain-sdk-js.esm.jsView file
matchType = normalized_sha256 matchedPackage = theta-sdk-js@1.2.17 matchedPath = dist/thetajs.esm.js matchedIdentity = npm:dGhldGEtc2RrLWpz:1.2.17 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/chain-sdk-js.esm.jsView on unpkg
dist/thetajs.cjs.jsView file
matchType = normalized_sha256 matchedPackage = theta-sdk-js@1.2.17 matchedPath = dist/thetajs.cjs.js matchedIdentity = npm:dGhldGEtc2RrLWpz:1.2.17 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/thetajs.cjs.jsView on unpkg
test/wallet.test.jsView file
51patternName = generic_password severity = medium line = 51 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L51
60patternName = generic_password severity = medium line = 60 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L60
71patternName = generic_password severity = medium line = 71 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L71
80patternName = generic_password severity = medium line = 80 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L80

Findings

2 Critical7 High6 Medium4 Low
CriticalSpawned Remote Code Executiondist/thetajs.esm.js
CriticalTrigger Reachable Dangerous Capabilitydist/chain-sdk-js.cjs.js
HighChild Processdist/thetajs.esm.js
HighShell
HighOversized Source Filedist/chain-sdk-js.umd.js
HighKnown Malware Source Similaritydist/chain-sdk-js.cjs.js
HighKnown Malware Source Similaritydist/chain-sdk-js.esm.js
HighKnown Malware Source Similaritydist/thetajs.cjs.js
HighKnown Malware Source Similaritydist/thetajs.esm.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings