registry  /  ddaxx  /  1.0.0

ddaxx@1.0.0

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the main entry in a matching browser context runs a concealed account-takeover payload. It exfiltrates page data and WordPress nonces, deletes accounts, changes account email, and triggers password reset.

Static reason
No blocking static signals were detected.
Trigger
Import or execution of `a.js` in a browser whose URL contains `noviembrenacional.com`.
Impact
Account deletion and takeover through attacker email replacement and password-reset initiation.
Mechanism
Obfuscated DOM harvesting, authenticated same-origin requests, and remote telemetry.
Attack narrative
`a.js` executes immediately when imported. On the targeted site, it sends encoded document HTML and extracted account data to a Canarytokens endpoint, obtains WordPress nonces from authenticated settings pages, posts an account-deletion request, replaces the account email with an attacker-controlled address, and initiates password reset.
Rationale
The source contains a concrete, automatically executed browser attack chain with data exfiltration and destructive account control actions. The lack of install hooks does not mitigate runtime execution through the declared main entry.
Evidence
a.jspackage.json
Network endpoints4
canarytokens.com/tags/feedback/kkiwhjd8z03ya08mh9wuc40hn/submit.aspx/members/<username>/settings/delete-account//my-account/editar-cuenta//wp-login.php?action=lostpassword

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `a.js` is the package main entry and invokes `exploit()` at import time.
  • The payload activates on `noviembrenacional.com` and silently POSTs the full page HTML to Canarytokens.
  • It reads WordPress nonces and submits an authenticated account-deletion request.
  • It changes the account email to an attacker-controlled address, then triggers password reset.
  • Obfuscation hides destructive browser-side actions and exfiltration telemetry.
Evidence against
  • `package.json` contains no lifecycle scripts or dependencies.
  • No child-process, filesystem, or native-loading behavior was found.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedTrivial
Manifest
NoLicense
scanned 1 file(s), 11.3 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

5 High1 Medium2 Low
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
MediumNetwork
LowHigh Entropy Strings
LowNo License