AI Security Review
scanned 2d ago · by lpm-firewall-aiThe package is a static site, but its leaderboard page fetches JavaScript from a remote GitHub raw URL and evals it in the browser. This makes executable behavior mutable outside the published npm artifact.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User opens leaderboard.html in a browser
Impact
Remote arbitrary browser-side JavaScript can execute outside package review boundaries.
Mechanism
remote JavaScript fetch followed by eval
Attack narrative
leaderboard.html includes assets/js/leaderboard.js. That script fetches scores.js from raw.githubusercontent.com and passes the response text directly to eval, so any change in that remote repository can execute arbitrary browser JavaScript for users viewing the package's leaderboard page.
Rationale
Direct source inspection confirms a remote fetch-and-eval path in a browser entrypoint, which is concrete remote code execution rather than a static data fetch. The Supabase usage appears package-aligned, but it does not mitigate the remotely mutable eval loader.
Evidence
package.jsonleaderboard.htmlassets/js/leaderboard.jsassets/js/app_functions.js
Network endpoints2
raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.jshqlgppguxhqeaonjzinv.supabase.co
Decision evidence
public snapshotAI called this Malicious at 92.0% confidence as Malware with low false-positive risk.
Evidence for block
- assets/js/leaderboard.js fetches remote JavaScript from raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js.
- assets/js/leaderboard.js executes the fetched text with eval(js_code) during main().
- leaderboard.html loads /assets/js/leaderboard.js with defer, so visiting the leaderboard page triggers remote code execution.
- package.json declares main/unpkg as index.html and has no server-side package logic; the risky behavior is in browser runtime source.
Evidence against
- package.json has no lifecycle scripts, so there is no install-time execution.
- Scanner hint for image steganography was noisy: inspected leaderboard.js fetches raw GitHub JS, not an image decode path.
- assets/js/app_functions.js Supabase anon key is used for browser app listing RPC/cache behavior, not credential/env/file harvesting.
- No child_process, filesystem writes, persistence, destructive behavior, or AI-agent control-surface mutation found.
Behavioral surface
EvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourceassets/js/app_functions.jsView file
3patternName = supabase_service_key
severity = critical
line = 3
matchedText = "eyJhbGc...w8";
Critical
Critical Secret
Package contains a critical-looking secret pattern.
assets/js/app_functions.jsView on unpkg · L33patternName = supabase_service_key
severity = critical
line = 3
matchedText = "eyJhbGc...w8";
Critical
Secret Pattern
Supabase service role key (JWT) in assets/js/app_functions.js
assets/js/app_functions.jsView on unpkg · L3assets/js/leaderboard.jsView file
36async function getScores() {
L37: let response = await fetch(
L38: "https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js",
L39: );
L40: return await response.text(); // is promise for whatever reason
L41: }
...
L45: let js_code = await getScores();
L46: eval(js_code); // never use eval
L47: } catch (e) {
Critical
Remote Asset Decode Execute
Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
assets/js/leaderboard.jsView on unpkg · L3645let js_code = await getScores();
L46: eval(js_code); // never use eval
L47: } catch (e) {
High
Findings
3 Critical1 High2 Medium2 Low
CriticalCritical Secretassets/js/app_functions.js
CriticalRemote Asset Decode Executeassets/js/leaderboard.js
CriticalSecret Patternassets/js/app_functions.js
HighEvalassets/js/leaderboard.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings