registry  /  grapes-andrewdingus  /  1.0.30

grapes-andrewdingus@1.0.30

GRAPES OS static site — CDN-ready via unpkg

AI Security Review

scanned 2d ago · by lpm-firewall-ai

The package is a static site, but its leaderboard page executes mutable remote JavaScript from GitHub at runtime. That remote code can run in the page origin when a visitor opens leaderboard.html.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
User visits leaderboard.html from the published static site/package CDN.
Impact
Arbitrary browser-side code execution in the package site context; potential DOM manipulation, data access available to that origin, or further network actions.
Mechanism
fetch remote JavaScript and eval it in browser
Attack narrative
On leaderboard page load, leaderboard.html includes assets/js/leaderboard.js. That script fetches scores.js from raw.githubusercontent.com and passes the returned text to eval(), so the package delegates executable code to a mutable remote repository rather than shipping inert leaderboard data.
Rationale
Source inspection confirms active runtime remote code execution via fetch plus eval in assets/js/leaderboard.js, reachable from leaderboard.html. The absence of install hooks lowers npm-install impact but does not remove the concrete browser execution attack surface.
Evidence
package.jsonleaderboard.htmlassets/js/leaderboard.jsassets/js/app_functions.jsprepare-unpkg.ps1
Network endpoints1
raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • assets/js/leaderboard.js fetches https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js.
  • assets/js/leaderboard.js immediately evals the fetched text in main().
  • leaderboard.html loads /assets/js/leaderboard.js with defer, activating on page visit.
Evidence against
  • package.json has no lifecycle scripts, bin, dependencies, or install-time execution.
  • assets/js/app_functions.js Supabase anon key is used for app listing RPC/localStorage caching and appears package-aligned.
  • prepare-unpkg.ps1 only copies CSS into assets/css before publish; it is not wired to npm scripts.
Behavioral surface
Source
EvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 41.9 KB of source, external domains: 1.australianhuntermag.com.au, 1.belizebuilders.com, 1.burgermap.org, 1.chowpatty.com, 1.deleesportsmedicine.com, 1.lscomm.net, 1.oceanracingseries.co.za, 1.rodolfocolen.com, 1.room4rent.cl, 1.rootsbobcat.com, 1.southwestvoodoo.com, 1.tartsandcrafts.ca, 1.tomholden.info, 1.videospeed.cl, 1.vivocolor.cl, 2.intothelightprod.com, 2.macao.net, 57.admain.cl, acetaminophen.deleesportsmedicine.com, acting.intothelightprod.com, adsadkjsadjksakldjxx.math-solver.online, agent.room4rent.cl, alpha.y.glenwaverleychurches.org, antihistamines.medscience.cl, api.cloud.rigaprecast.com, app.cloud.rigaprecast.com, attractions.uk.to, aurora.xyz.moochurch.com, b.j0.icom.org.np, backend.development.sanluix.org, basketball.prosports.cl, behavior.lasersoft.net.au, beta.y.glenwaverleychurches.org, biology-img.shekinahphotography.com, blog.cloud.rigaprecast.com, boeing.morlockaerospace.com, books.michelleingah.com, ca.skimanshop.it, carriers.mobile-node.net, cdn.businessrelay.co.za, cdn.i-mind.cl, cdn.masonic-lodge.ca, cdn.yourciooncall.com, cheap.showmyhomes.com, cheap.winterhouse.info, china.dingshun.hk, china.taoism-dingshun.org, construct.rustyfoundation.com, coolmathgames.com, cultures.linexedu.eu

Source & flagged code

7 flagged · loading source
assets/js/app_functions.jsView file
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/js/app_functions.jsView on unpkg · L3
3patternName = supabase_service_key severity = critical line = 3 matchedText = "eyJhbGc...w8";
Critical
Secret Pattern

Supabase service role key (JWT) in assets/js/app_functions.js

assets/js/app_functions.jsView on unpkg · L3
assets/js/leaderboard.jsView file
36async function getScores() { L37: let response = await fetch( L38: "https://raw.githubusercontent.com/grapes-os/grapes-os-leaderboard/main/scores.js", L39: ); L40: return await response.text(); // is promise for whatever reason L41: } ... L45: let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

assets/js/leaderboard.jsView on unpkg · L36
45let js_code = await getScores(); L46: eval(js_code); // never use eval L47: } catch (e) {
High
Eval

Package source references dynamic code evaluation.

assets/js/leaderboard.jsView on unpkg · L45
matchType = normalized_sha256 matchedPackage = grapes-andrewdingus@1.0.29 matchedPath = assets/js/leaderboard.js matchedIdentity = npm:Z3JhcGVzLWFuZHJld2Rpbmd1cw:1.0.29 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

assets/js/leaderboard.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 26a6083a366a497c signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = grapes-andrewdingus@1.0.29 matchedPath = assets/js/leaderboard.js matchedIdentity = npm:Z3JhcGVzLWFuZHJld2Rpbmd1cw:1.0.29 similarity = 1.000 shingleOverlap = 5 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

assets/js/leaderboard.jsView on unpkg
prepare-unpkg.ps1View file
path = prepare-unpkg.ps1 kind = build_helper sizeBytes = 468 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

prepare-unpkg.ps1View on unpkg

Findings

3 Critical3 High3 Medium2 Low
CriticalCritical Secretassets/js/app_functions.js
CriticalRemote Asset Decode Executeassets/js/leaderboard.js
CriticalSecret Patternassets/js/app_functions.js
HighEvalassets/js/leaderboard.js
HighKnown Malware Source Similarityassets/js/leaderboard.js
HighKnown Malware Source Fingerprint Signatureassets/js/leaderboard.js
MediumNetwork
MediumShips Build Helperprepare-unpkg.ps1
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings