registry  /  hablas-tools  /  7.2.0

hablas-tools@7.2.0

AI Security Review

scanned 4h ago · by lpm-firewall-ai

The package is an interactive bulk username-checking suite for TikTok and WhatsApp. It can rotate through scraped proxies and persist local configuration, results, and WhatsApp authentication state. No install-time or stealth attack path was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the CLI, authenticates, selects a checker, and starts scanning.
Impact
Enables platform-targeted enumeration and proxy-assisted automation; no confirmed host compromise or data exfiltration.
Mechanism
Bulk username enumeration with optional proxy routing and WhatsApp session queries.
Rationale
Source confirms a user-invoked, proxy-assisted username-enumeration capability across TikTok and WhatsApp. It is not concretely malicious, but the dual-use automation warrants a warning.
Evidence
package.jsonbin/cli.jsshared/config.jstools/tiktok/checker.jstools/tiktok/proxy.jstools/tiktok/menu.jstools/whatsapp/auth.jstools/tiktok/notify.jstools/whatsapp/state.jsdata/config.jsonauth_info
Network endpoints4
www.tiktok.comapi.proxyscrape.comproxylist.geonode.comapi.telegram.org

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `tools/tiktok/checker.js` bulk-checks TikTok usernames through direct or proxy CONNECT requests.
  • `tools/tiktok/proxy.js` fetches public proxies and validates tunnels to TikTok.
  • `tools/whatsapp/auth.js` logs into WhatsApp and submits arbitrary username checks via its MEX query.
  • `tools/tiktok/menu.js` exposes configurable concurrency, proxy loading, and auto-proxy acquisition.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `bin/cli.js` only loads tool modules after an interactive menu selection.
  • `shared/config.js` uses `HABLAS_DATA_DIR` only as a config location; no environment harvesting occurs.
  • Outbound notifications in `tools/tiktok/notify.js` require user-supplied Discord or Telegram credentials.
  • No child-process execution, eval/vm usage, remote code loading, or unrelated credential exfiltration was found.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 125 KB of source, external domains: api.proxyscrape.com, api.telegram.org, hablas.tech, proxylist.geonode.com, www.tiktok.com

Source & flagged code

2 flagged · loading source
shared/config.jsView file
64patternName = generic_password severity = medium line = 64 matchedText = password...re',
Medium
Secret Pattern

Package contains a possible secret pattern.

shared/config.jsView on unpkg · L64
tools/tiktok/checker.jsView file
matchType = previous_version_dangerous_delta matchedPackage = hablas-tools@7.1.4 matchedIdentity = npm:aGFibGFzLXRvb2xz:7.1.4 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

tools/tiktok/checker.jsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltatools/tiktok/checker.js
MediumSecret Patternshared/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings