AI Security Review
scanned 2d ago · by lpm-firewall-aiThe package contains a static site leaderboard page that loads remote JavaScript from GitHub and executes it with eval. This gives the remote repository control over code run in users' browsers when the leaderboard page is opened.
Decision evidence
public snapshot- assets/js/leaderboard.js fetches https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js
- assets/js/leaderboard.js immediately evals fetched response text in the browser
- leaderboard.html includes assets/js/leaderboard.js as a deferred runtime script
- package.json homepage points to unrelated https://unpkg.com/bypass-sam1@latest/
- package.json has no install/preinstall/postinstall lifecycle scripts
- Main package surface is a static site with HTML/CSS/JS assets
- assets/js/app_functions.js Supabase anon key is used for public app listing RPCs, not credential harvesting
- No filesystem, child_process, persistence, or npm-time execution found
Source & flagged code
6 flagged · loading sourcePackage contains a critical-looking secret pattern.
assets/js/app_functions.jsView on unpkg · L3Supabase service role key (JWT) in assets/js/app_functions.js
assets/js/app_functions.jsView on unpkg · L3Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
assets/js/leaderboard.jsView on unpkg · L36Source file is highly similar to a previously finalized malicious package; route for source-aware review.
assets/js/leaderboard.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
assets/js/leaderboard.jsView on unpkg