registry  /  grapes-andrewdingus  /  1.0.21

grapes-andrewdingus@1.0.21

GRAPES OS static site — CDN-ready via unpkg

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The confirmed risk is browser runtime remote-code execution on the leaderboard page. No install-time npm compromise behavior was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User visits leaderboard.html in a browser with JavaScript enabled.
Impact
Remote repository compromise or change can execute arbitrary browser JavaScript in the package-hosted site context.
Mechanism
fetch remote JavaScript and eval response text
Attack narrative
On leaderboard page load, assets/js/leaderboard.js downloads scores.js from GitHub raw content and immediately evals it. That gives the remote repository control over browser JavaScript executed by consumers of the npm-hosted static site, but inspection did not find install hooks, local file access, credential harvesting, or a concrete malicious payload in the packaged source.
Rationale
Source inspection confirms a real dangerous browser RCE pattern, but the behavior is page-scoped static-site functionality and no concrete malicious payload or npm install-time attack was present. Treat as a warning rather than a publish block.
Evidence
package.jsonleaderboard.htmlassets/js/leaderboard.jsassets/js/app_functions.jsassets/js/links.jsassets/js/ab-blank.js
Network endpoints2
raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.jshqlgppguxhqeaonjzinv.supabase.co

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • assets/js/leaderboard.js fetches remote JS from raw.githubusercontent.com and passes response text to eval().
  • leaderboard.html loads assets/js/leaderboard.js on page visit, creating runtime remote-code execution in the browser.
  • assets/js/links.js contains many external proxy/unblocker URLs that can be loaded into gameFrame by user action.
  • assets/js/ab-blank.js opens the site in an about:blank-style window and closes the original tab, a user-facing cloaking behavior.
Evidence against
  • package.json has no lifecycle scripts and main is a static index.html.
  • No Node child_process, filesystem access, native binaries, install-time execution, or credential harvesting found.
  • Supabase key in assets/js/app_functions.js is an anon browser client key used for app listing RPC, not a service-role secret.
  • Remote leaderboard code appears intended as site content data for score rendering, not confirmed credential exfiltration or persistence.
Behavioral surface
Source
EvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 41.9 KB of source, external domains: 1.australianhuntermag.com.au, 1.belizebuilders.com, 1.burgermap.org, 1.chowpatty.com, 1.deleesportsmedicine.com, 1.lscomm.net, 1.oceanracingseries.co.za, 1.rodolfocolen.com, 1.room4rent.cl, 1.rootsbobcat.com, 1.southwestvoodoo.com, 1.tartsandcrafts.ca, 1.tomholden.info, 1.videospeed.cl, 1.vivocolor.cl, 2.intothelightprod.com, 2.macao.net, 57.admain.cl, acetaminophen.deleesportsmedicine.com, acting.intothelightprod.com, adsadkjsadjksakldjxx.math-solver.online, agent.room4rent.cl, alpha.y.glenwaverleychurches.org, antihistamines.medscience.cl, api.cloud.rigaprecast.com, app.cloud.rigaprecast.com, attractions.uk.to, aurora.xyz.moochurch.com, b.j0.icom.org.np, backend.development.sanluix.org, basketball.prosports.cl, behavior.lasersoft.net.au, beta.y.glenwaverleychurches.org, biology-img.shekinahphotography.com, blog.cloud.rigaprecast.com, boeing.morlockaerospace.com, books.michelleingah.com, ca.skimanshop.it, carriers.mobile-node.net, cdn.businessrelay.co.za, cdn.i-mind.cl, cdn.masonic-lodge.ca, cdn.yourciooncall.com, cheap.showmyhomes.com, cheap.winterhouse.info, china.dingshun.hk, china.taoism-dingshun.org, construct.rustyfoundation.com, coolmathgames.com, cultures.linexedu.eu

Source & flagged code

4 flagged · loading source
assets/js/app_functions.jsView file
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/js/app_functions.jsView on unpkg · L3
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Secret Pattern

Supabase service role key (JWT) in assets/js/app_functions.js

assets/js/app_functions.jsView on unpkg · L3
assets/js/leaderboard.jsView file
36async function getScores() { L37: let response = await fetch( L38: "https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js", L39: ); L40: return await response.text(); // is promise for whatever reason L41: } ... L45: let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

assets/js/leaderboard.jsView on unpkg · L36
45let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
High
Eval

Package source references dynamic code evaluation.

assets/js/leaderboard.jsView on unpkg · L45

Findings

3 Critical1 High2 Medium2 Low
CriticalCritical Secretassets/js/app_functions.js
CriticalRemote Asset Decode Executeassets/js/leaderboard.js
CriticalSecret Patternassets/js/app_functions.js
HighEvalassets/js/leaderboard.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings