registry  /  grapes-andrewdingus  /  1.0.23

grapes-andrewdingus@1.0.23

GRAPES OS static site — CDN-ready via unpkg

AI Security Review

scanned 3d ago · by lpm-firewall-ai

Opening the leaderboard page executes mutable remote JavaScript fetched from GitHub. This gives the remote repository control over browser-side code after the npm package is published.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User opens leaderboard.html in a browser/CDN context.
Impact
Remote code can run in the page origin, alter displayed content, access page/localStorage context, and make browser network requests.
Mechanism
fetch remote JavaScript text and eval it
Attack narrative
When leaderboard.html loads, it includes assets/js/leaderboard.js. That script fetches scores.js from raw.githubusercontent.com and passes the returned text directly to eval, so the package delegates runtime code execution to mutable remote content outside the published npm artifact.
Rationale
The confirmed behavior is not merely loading a normal third-party library; it fetches remote text and evaluates it as code, creating a post-publish remote payload channel. No install-time compromise was found, but the runtime browser attack surface is concrete enough to block. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonleaderboard.htmlassets/js/leaderboard.jsassets/js/app_functions.js
Network endpoints3
raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.jshqlgppguxhqeaonjzinv.supabase.cocdn.jsdelivr.net/npm/@supabase/supabase-js@2

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Malware with medium false-positive risk.
Evidence for block
  • assets/js/leaderboard.js fetches remote scores.js from raw.githubusercontent.com at runtime.
  • assets/js/leaderboard.js immediately evals fetched remote text in main().
  • leaderboard.html loads assets/js/leaderboard.js with defer when the leaderboard page opens.
Evidence against
  • package.json has no lifecycle scripts, bin, dependencies, or Node install-time hooks.
  • Source is primarily a static browser site with HTML/CSS/images.
  • assets/js/app_functions.js uses a Supabase anon key for browser data access, consistent with public Supabase clients.
Behavioral surface
Source
EvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 41.8 KB of source, external domains: 1.australianhuntermag.com.au, 1.belizebuilders.com, 1.burgermap.org, 1.chowpatty.com, 1.deleesportsmedicine.com, 1.lscomm.net, 1.oceanracingseries.co.za, 1.rodolfocolen.com, 1.room4rent.cl, 1.rootsbobcat.com, 1.southwestvoodoo.com, 1.tartsandcrafts.ca, 1.tomholden.info, 1.videospeed.cl, 1.vivocolor.cl, 2.intothelightprod.com, 2.macao.net, 57.admain.cl, acetaminophen.deleesportsmedicine.com, acting.intothelightprod.com, adsadkjsadjksakldjxx.math-solver.online, agent.room4rent.cl, alpha.y.glenwaverleychurches.org, antihistamines.medscience.cl, api.cloud.rigaprecast.com, app.cloud.rigaprecast.com, attractions.uk.to, aurora.xyz.moochurch.com, b.j0.icom.org.np, backend.development.sanluix.org, basketball.prosports.cl, behavior.lasersoft.net.au, beta.y.glenwaverleychurches.org, biology-img.shekinahphotography.com, blog.cloud.rigaprecast.com, boeing.morlockaerospace.com, books.michelleingah.com, ca.skimanshop.it, carriers.mobile-node.net, cdn.businessrelay.co.za, cdn.i-mind.cl, cdn.masonic-lodge.ca, cdn.yourciooncall.com, cheap.showmyhomes.com, cheap.winterhouse.info, china.dingshun.hk, china.taoism-dingshun.org, construct.rustyfoundation.com, coolmathgames.com, cultures.linexedu.eu

Source & flagged code

4 flagged · loading source
assets/js/app_functions.jsView file
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/js/app_functions.jsView on unpkg · L3
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Secret Pattern

Supabase service role key (JWT) in assets/js/app_functions.js

assets/js/app_functions.jsView on unpkg · L3
assets/js/leaderboard.jsView file
36async function getScores() { L37: let response = await fetch( L38: "https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js", L39: ); L40: return await response.text(); // is promise for whatever reason L41: } ... L45: let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

assets/js/leaderboard.jsView on unpkg · L36
45let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
High
Eval

Package source references dynamic code evaluation.

assets/js/leaderboard.jsView on unpkg · L45

Findings

3 Critical1 High2 Medium2 Low
CriticalCritical Secretassets/js/app_functions.js
CriticalRemote Asset Decode Executeassets/js/leaderboard.js
CriticalSecret Patternassets/js/app_functions.js
HighEvalassets/js/leaderboard.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings