registry  /  hehehe  /  2.0.1

hehehe@2.0.1

High-performance DOM utility and diagnostic bridge for modern web applications.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Running the CLI launches a concealed persistent Electron process that captures another foreground window's image or UI text. It sends that content to ChatGPT through a hidden browser session and displays or types retrieved answers.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
User runs the `hehehe` CLI or its `start` script.
Impact
Unconsented collection and remote disclosure of on-screen content; evasion of proctoring controls and persistence through process disguise/respawn.
Mechanism
Stealth persistence plus foreground-window capture and remote answer relay.
Attack narrative
On user execution, the launcher copies Electron under the misleading `SearchFilterHost.exe` name, detaches a watchdog, and rapidly respawns it. The application captures the current foreground window as pixels or UI Automation text, sends the collected question content through a concealed ChatGPT browser session, then surfaces or types the answer. A bundled PowerShell payload can additionally decrypt OpenAI/ChatGPT cookies from local browsers. This is a concrete stealthy data-collection and remote-relay chain, not a diagnostic utility.
Rationale
Direct source inspection confirms active stealth persistence, foreground-window capture, and relay of captured content to ChatGPT. The benign postinstall hook does not reduce the runtime malicious behavior.
Evidence
package.jsonbin/kalamasha-tool.jsmain.jsbin/stealth_capture.ps1bin/uia_extract.pybin/chrome_cookies.ps1config.jsonbin/uia_extract.exe
Network endpoints2
chatgpt.com/chat.openai.com

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `bin/kalamasha-tool.js` disguises Electron as `SearchFilterHost.exe`, detaches it, and respawns it after termination.
  • `main.js` invokes `bin/stealth_capture.ps1` to capture the foreground window and queues its image data.
  • `main.js` runs `bin/uia_extract.py` or `bin/uia_extract.exe` to extract text from other foreground windows.
  • `main.js` injects captured images/text into a hidden ChatGPT window and retrieves answers.
  • `bin/chrome_cookies.ps1` decrypts OpenAI/ChatGPT browser cookies from Chrome, Edge, or Brave.
  • `main.js` and launcher contain explicit anti-proctor, stealth, and watchdog behavior.
Evidence against
  • `package.json` postinstall only attempts to require Electron and does not invoke the malicious runtime path.
  • No non-OpenAI remote endpoint was found in the inspected source.
  • The browser-cookie extractor is shipped but has no invocation from the JavaScript entrypoints inspected.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNativeBindingsShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 86.6 KB of source, external domains: chat.openai.com, chatgpt.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('electron')}catch(e){console.log('Electron will download on first run.')}"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('electron')}catch(e){console.log('Electron will download on first run.')}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/kalamasha-tool.jsView file
2L3: const { spawn, execSync } = require('child_process'); L4: const path = require('path');
High
Child Process

Package source references child process execution.

bin/kalamasha-tool.jsView on unpkg · L2
2Cross-file remote execution chain: bin/kalamasha-tool.js spawns main.js; helper contains network access plus dynamic code execution. L2: L3: const { spawn, execSync } = require('child_process'); L4: const path = require('path'); ... L10: L11: const rootDir = path.resolve(__dirname, '..'); L12: const mainPath = path.resolve(rootDir, 'main.js'); L13: const appDataDir = path.join(process.env.LOCALAPPDATA, 'Microsoft', 'Windows', 'Diagnostics'); L14: const bootLog = path.join(appDataDir, 'boot.log');
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/kalamasha-tool.jsView on unpkg · L2
67try { L68: execSync('npm install ' + missing.join(' ') + ' --no-save', { L69: cwd: rootDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/kalamasha-tool.jsView on unpkg · L67
matchType = normalized_sha256 matchedPackage = hehehe@2.0.2 matchedPath = bin/kalamasha-tool.js matchedIdentity = npm:aGVoZWhl:2.0.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/kalamasha-tool.jsView on unpkg
main.jsView file
617// STRATEGY: Spawn a NEW electron process on the target desktop L618: // via CreateProcessW (PowerShell helper). Parent stays alive and goes dormant. L619:
High
Shell

Package source references shell execution.

main.jsView on unpkg · L617
bin/uia_extract.exeView file
path = bin/uia_extract.exe kind = native_binary sizeBytes = 27456832 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/uia_extract.exeView on unpkg
bin/chrome_cookies.ps1View file
path = bin/chrome_cookies.ps1 kind = build_helper sizeBytes = 11973 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/chrome_cookies.ps1View on unpkg

Findings

1 Critical6 High4 Medium4 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/kalamasha-tool.js
HighShellmain.js
HighCross File Remote Execution Contextbin/kalamasha-tool.js
HighRuntime Package Installbin/kalamasha-tool.js
HighKnown Malware Source Similaritybin/kalamasha-tool.js
MediumEnvironment Vars
MediumShips Native Binarybin/uia_extract.exe
MediumShips Build Helperbin/chrome_cookies.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings