registry  /  grapes-andrewdingus  /  1.0.20

grapes-andrewdingus@1.0.20

GRAPES OS static site — CDN-ready via unpkg

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No install-time npm compromise was found. The real unresolved risk is browser runtime remote code execution on the leaderboard page via fetched GitHub JavaScript evaluated with eval().

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User opens leaderboard.html in a browser
Impact
A changed upstream scores.js could execute arbitrary browser JavaScript in visitors' sessions under the site origin.
Mechanism
remote JavaScript fetch followed by eval
Attack narrative
When leaderboard.html is viewed, assets/js/leaderboard.js downloads scores.js from raw.githubusercontent.com and immediately evals the returned text. The packaged code does not itself harvest credentials, persist, or run during npm install, but the mutable remote script can become arbitrary browser code without a package update.
Rationale
Static inspection confirms a concrete remote-eval runtime risk, but not a packaged malicious payload, install hook, credential exfiltration, or destructive behavior. Treat as warn/suspicious rather than publish-block malicious.
Evidence
package.jsonleaderboard.htmlassets/js/leaderboard.jsassets/js/app_functions.jsassets/js/main.jsassets/js/cdn-base.jsassets/js/ab-blank.jsassets/js/links.js
Network endpoints3
raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.jshqlgppguxhqeaonjzinv.supabase.cocdn.jsdelivr.net/npm/@supabase/supabase-js@2

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • assets/js/leaderboard.js fetches remote scores.js from raw.githubusercontent.com and passes response text to eval()
  • leaderboard.html loads assets/js/leaderboard.js at page runtime
  • assets/js/app_functions.js embeds a Supabase anon key and queries https://hqlgppguxhqeaonjzinv.supabase.co for app data
Evidence against
  • package.json has no lifecycle scripts, bin, dependencies, or install-time execution
  • No Node child_process, filesystem access, native binaries, or shell execution found
  • Supabase key is anon client-side configuration, not a service-role secret
  • Remote network use is for a static games site: app listings, leaderboard, fonts, and assets
Behavioral surface
Source
EvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 41.9 KB of source, external domains: 1.australianhuntermag.com.au, 1.belizebuilders.com, 1.burgermap.org, 1.chowpatty.com, 1.deleesportsmedicine.com, 1.lscomm.net, 1.oceanracingseries.co.za, 1.rodolfocolen.com, 1.room4rent.cl, 1.rootsbobcat.com, 1.southwestvoodoo.com, 1.tartsandcrafts.ca, 1.tomholden.info, 1.videospeed.cl, 1.vivocolor.cl, 2.intothelightprod.com, 2.macao.net, 57.admain.cl, acetaminophen.deleesportsmedicine.com, acting.intothelightprod.com, adsadkjsadjksakldjxx.math-solver.online, agent.room4rent.cl, alpha.y.glenwaverleychurches.org, antihistamines.medscience.cl, api.cloud.rigaprecast.com, app.cloud.rigaprecast.com, attractions.uk.to, aurora.xyz.moochurch.com, b.j0.icom.org.np, backend.development.sanluix.org, basketball.prosports.cl, behavior.lasersoft.net.au, beta.y.glenwaverleychurches.org, biology-img.shekinahphotography.com, blog.cloud.rigaprecast.com, boeing.morlockaerospace.com, books.michelleingah.com, ca.skimanshop.it, carriers.mobile-node.net, cdn.businessrelay.co.za, cdn.i-mind.cl, cdn.masonic-lodge.ca, cdn.yourciooncall.com, cheap.showmyhomes.com, cheap.winterhouse.info, china.dingshun.hk, china.taoism-dingshun.org, construct.rustyfoundation.com, coolmathgames.com, cultures.linexedu.eu

Source & flagged code

4 flagged · loading source
assets/js/app_functions.jsView file
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/js/app_functions.jsView on unpkg · L3
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Secret Pattern

Supabase service role key (JWT) in assets/js/app_functions.js

assets/js/app_functions.jsView on unpkg · L3
assets/js/leaderboard.jsView file
36async function getScores() { L37: let response = await fetch( L38: "https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js", L39: ); L40: return await response.text(); // is promise for whatever reason L41: } ... L45: let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

assets/js/leaderboard.jsView on unpkg · L36
45let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
High
Eval

Package source references dynamic code evaluation.

assets/js/leaderboard.jsView on unpkg · L45

Findings

3 Critical1 High2 Medium2 Low
CriticalCritical Secretassets/js/app_functions.js
CriticalRemote Asset Decode Executeassets/js/leaderboard.js
CriticalSecret Patternassets/js/app_functions.js
HighEvalassets/js/leaderboard.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings