registry  /  konnektive-one  /  1.0.0

konnektive-one@1.0.0

Konnektive / CheckoutChamp checkout engine — single-bundle (jQuery + sweetalert2). Load dist/engine.js with a data-config attribute pointing at your OPconfig.js.

AI Security Review

scanned 11h ago · by lpm-firewall-ai

Runtime browser checkout code collects payment and customer PII and sends it to hardcoded non-Konnektive proxy endpoints by default. This creates a concrete credential/payment data exfiltration surface for any site embedding the bundle without overriding the config.

Static reason
One or more suspicious static signals were detected.
Trigger
User embeds dist/engine.js on a checkout page and shoppers submit checkout/member forms.
Impact
Payment card data, CVV, customer PII, order details, referrer, IP, and contact form data can be sent to package-controlled infrastructure.
Mechanism
browser-side checkout data POSTs to hardcoded proxy endpoints
Attack narrative
The package is a browser checkout bundle. Its default INITIAL_STATE points Konnektive-like API operations at hardcoded lambda/token-fetch endpoints, while checkout functions gather card number, CVV, billing/shipping PII, order IDs, email, phone, IP, and referrer and POST them through getConfig().konnektiveAPIURL and related URLs. An embedding merchant can override config, but the shipped defaults establish a payment-data exfiltration path to non-official infrastructure.
Rationale
Static inspection confirms no install-time malware, but the runtime bundle has a concrete hardcoded endpoint path for payment and PII collection that is not merely a noisy scanner secret. The behavior is security-critical and blockable because it can exfiltrate shopper card/CVV and personal data during normal package use.
Evidence
package.jsonreadme.mddist/engine.js
Network endpoints8
lambda.token-fetch-envisia.com:3000/lambda.token-fetch-envisia.com:3001/lambda.token-fetch-envisia.com:3002/lambda.token-fetch-envisia.com:3003/lambda.token-fetch-envisia.com:3005gt42vlw5wpgmiavk2np7ik5vri0dcfqr.lambda-url.us-east-1.on.aws/yt5s43ksmu37b2ae3ntnz2ffku0mfyme.lambda-url.us-east-1.on.awsflag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3

Decision evidence

public snapshot
AI called this Malicious at 92.0% confidence as Malware with low false-positive risk.
Evidence for block
  • dist/engine.js default config routes Konnektive API, RedTrack, IP, contact, and error traffic to hardcoded lambda.token-fetch-envisia.com / AWS Lambda URLs.
  • dist/engine.js builds checkout/order requests containing cardNumber, CVV, billing/shipping PII, email, phone, IP, and order data, then POSTs them to getConfig().konnektiveAPIURL.
  • dist/engine.js loads a data-config script from the embedding page and auto-initializes browser checkout behavior, so the behavior triggers at runtime on merchant pages.
  • dist/engine.js contains bundled code that can disable body pointer events and play https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3 for ru/by-like locales after a delay.
Evidence against
  • package.json has no npm lifecycle hooks, bin entry, or install-time execution.
  • No child_process, native binary loading, filesystem writes, or AI-agent control-surface mutation found.
  • README describes a browser checkout engine loaded explicitly by script tag with PaymentEngine.init config.
Behavioral surface
Source
ChildProcessEval
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 321 KB of source, external domains: app.datashuttle.co, conversiontracking.campaigner.com, flag-gimn.ru, github.com, gt42vlw5wpgmiavk2np7ik5vri0dcfqr.lambda-url.us-east-1.on.aws, lambda.token-fetch-envisia.com, maps.googleapis.com, ssl.kaptcha.com, sweetalert2.github.io, tools.usps.com, www.fedex.com, www.ups.com, yt5s43ksmu37b2ae3ntnz2ffku0mfyme.lambda-url.us-east-1.on.aws

Source & flagged code

3 flagged · loading source
dist/engine.jsView file
1patternName = google_api_key severity = high line = 1 matchedText = !functio...)));
High
High Secret

Package contains a high-severity secret pattern.

dist/engine.jsView on unpkg · L1
1patternName = google_api_key severity = high line = 1 matchedText = !functio...)));
High
Secret Pattern

Google API key in dist/engine.js

dist/engine.jsView on unpkg · L1
1!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t(require("jQuery"));else if("function"==typeof define&&define.amd)define(["jQuery"],t);else{var ...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/engine.jsView on unpkg · L1

Findings

2 High4 Low
HighHigh Secretdist/engine.js
HighSecret Patterndist/engine.js
LowScripts Present
LowEvaldist/engine.js
LowHigh Entropy Strings
LowUrl Strings