registry  /  ishowfeet14  /  2.0.0

ishowfeet14@2.0.0

Republished package

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Opening the declared HTML entry immediately executes third-party JavaScript from c.vipersfutbol.com. That unpinned remote code can run with the page's origin privileges and interact with the included proxy/service-worker stack.

Static reason
One or more suspicious static signals were detected.
Trigger
User opens or serves index.html.
Impact
Remote operator can replace the loaded payload, read accessible page data, and issue same-origin requests; bundled proxy components handle routed requests and cookies.
Mechanism
Unpinned remote script loader with browser-origin code execution.
Attack narrative
The npm package is a republished browser application rather than a conventional library. Its declared entrypoint, index.html, directly loads a mutable script from c.vipersfutbol.com without an integrity constraint before loading the application bundle. This provides the remote host arbitrary JavaScript execution whenever a consumer opens the package entry. The included Scramjet service-worker/controller code routes proxied requests and persists controller cookies, increasing the value of that execution context.
Rationale
Direct execution of an unpinned, unrelated remote script is a concrete remote-payload chain, not merely a static heuristic. The absence of npm lifecycle hooks does not mitigate runtime browser code execution from the declared entrypoint.
Evidence
index.htmlpackage.jsonct1tl/jmqwjq.jsct1tl/pap3do.jsj6k3y8.jsassets/ChatPage-zoA8Z6RX.js
Network endpoints1
c.vipersfutbol.com/script.js

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.html loads and executes remote script from c.vipersfutbol.com on page open.
  • The remote script is not integrity-pinned and can change independently of the package.
  • package.json declares index.html as main and has no lifecycle hooks; opening the package entry triggers the script.
  • ct1tl/jmqwjq.js installs a service-worker request router that handles proxied traffic and cookies.
  • ct1tl/pap3do.js persists Scramjet controller cookies in IndexedDB.
  • The shipped app bundles are heavily obfuscated, including assets/ChatPage-zoA8Z6RX.js.
Evidence against
  • No npm preinstall, install, or postinstall hook is present.
  • No Node child-process, filesystem, or environment-variable harvesting behavior was found in inspected entry files.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 24 file(s), 7.27 MB of source, external domains: 127.0.0.1, aomediacodec.github.io, cdn.jsdelivr.net, cloud-api.livekit.io, curl.se, emscripten.org, fingerprint.com, github.com, m1.openfpcdn.io, react.dev, sj-cache.invalid, twemoji.maxcdn.com, www.w3.org, www.zlib.net

Source & flagged code

7 flagged · loading source
assets/proxy-runtime-1NyFshf9.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Secret Pattern

AWS access key ID in assets/proxy-runtime-1NyFshf9.js

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
bfjdx/757lr8.jsView file
17L18: //# sourceURL=${A}`)();n=c,o=l}else n=g.z$,o=g.Mt;r.construct&&(l.construct=function(e,t,i){let n,s=!1,a={fn:e,this:null,args:t,newTarget:i,return:e=>{s=!0,n=e},call:()=>(s=!0,n=o(... L19: //# sourceURL=${r.url.href}`),n}return o.body;case"style":return(0,i.sM)(await o.text(),e.context,r.meta);case"sharedworker":case"worker":return(0,i.iP)(new Uint8Array(await o.arra...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bfjdx/757lr8.jsView on unpkg · L17
assets/ChatPage-zoA8Z6RX.jsView file
1(function(_0x31bba3,_0x379132){const _0x159e7b={_0x26fc34:0x358,_0x56fc24:0x70c,_0x216b69:0x578,_0x22d6fc:0x60b,_0x33af41:0x2a6,_0x514b56:0x7f9,_0x4ccc4c:0x9d1,_0x35dd24:0xfdf,_0x1...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

assets/ChatPage-zoA8Z6RX.jsView on unpkg · L1
bfjdx/w7m632.wasmView file
path = bfjdx/w7m632.wasm kind = wasm_module sizeBytes = 586279 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

bfjdx/w7m632.wasmView on unpkg
assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
assets/livekit-C0E_jLSz.jsView file
13patternName = generic_password severity = medium line = 13 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Hardcoded password in assets/livekit-C0E_jLSz.js

assets/livekit-C0E_jLSz.jsView on unpkg · L13

Findings

2 Critical3 High6 Medium4 Low
CriticalCritical Secretassets/proxy-runtime-1NyFshf9.js
CriticalSecret Patternassets/proxy-runtime-1NyFshf9.js
HighObfuscated Payload Loaderassets/ChatPage-zoA8Z6RX.js
HighObfuscated
HighShips High Entropy Blobassets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumDynamic Requirebfjdx/757lr8.js
MediumNetwork
MediumProtestware
MediumShips Wasm Modulebfjdx/w7m632.wasm
MediumStructural Risk Force Deep Review
MediumSecret Patternassets/livekit-C0E_jLSz.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License