AI Security Review
scanned 11h ago · by lpm-firewall-aiRuntime browser checkout code collects payment and customer PII and sends it to hardcoded non-Konnektive proxy endpoints by default. This creates a concrete credential/payment data exfiltration surface for any site embedding the bundle without overriding the config.
Static reason
One or more suspicious static signals were detected.
Trigger
User embeds dist/engine.js on a checkout page and shoppers submit checkout/member forms.
Impact
Payment card data, CVV, customer PII, order details, referrer, IP, and contact form data can be sent to package-controlled infrastructure.
Mechanism
browser-side checkout data POSTs to hardcoded proxy endpoints
Attack narrative
The package is a browser checkout bundle. Its default INITIAL_STATE points Konnektive-like API operations at hardcoded lambda/token-fetch endpoints, while checkout functions gather card number, CVV, billing/shipping PII, order IDs, email, phone, IP, and referrer and POST them through getConfig().konnektiveAPIURL and related URLs. An embedding merchant can override config, but the shipped defaults establish a payment-data exfiltration path to non-official infrastructure.
Rationale
Static inspection confirms no install-time malware, but the runtime bundle has a concrete hardcoded endpoint path for payment and PII collection that is not merely a noisy scanner secret. The behavior is security-critical and blockable because it can exfiltrate shopper card/CVV and personal data during normal package use.
Evidence
package.jsonreadme.mddist/engine.js
Network endpoints8
lambda.token-fetch-envisia.com:3000/lambda.token-fetch-envisia.com:3001/lambda.token-fetch-envisia.com:3002/lambda.token-fetch-envisia.com:3003/lambda.token-fetch-envisia.com:3005gt42vlw5wpgmiavk2np7ik5vri0dcfqr.lambda-url.us-east-1.on.aws/yt5s43ksmu37b2ae3ntnz2ffku0mfyme.lambda-url.us-east-1.on.awsflag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3
Decision evidence
public snapshotAI called this Malicious at 92.0% confidence as Malware with low false-positive risk.
Evidence for block
- dist/engine.js default config routes Konnektive API, RedTrack, IP, contact, and error traffic to hardcoded lambda.token-fetch-envisia.com / AWS Lambda URLs.
- dist/engine.js builds checkout/order requests containing cardNumber, CVV, billing/shipping PII, email, phone, IP, and order data, then POSTs them to getConfig().konnektiveAPIURL.
- dist/engine.js loads a data-config script from the embedding page and auto-initializes browser checkout behavior, so the behavior triggers at runtime on merchant pages.
- dist/engine.js contains bundled code that can disable body pointer events and play https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3 for ru/by-like locales after a delay.
Evidence against
- package.json has no npm lifecycle hooks, bin entry, or install-time execution.
- No child_process, native binary loading, filesystem writes, or AI-agent control-surface mutation found.
- README describes a browser checkout engine loaded explicitly by script tag with PaymentEngine.init config.
Behavioral surface
ChildProcessEval
HighEntropyStringsMinifiedTrivialUrlStrings
Source & flagged code
3 flagged · loading sourcedist/engine.jsView file
1patternName = google_api_key
severity = high
line = 1
matchedText = !functio...)));
High
1patternName = google_api_key
severity = high
line = 1
matchedText = !functio...)));
High
1!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t(require("jQuery"));else if("function"==typeof define&&define.amd)define(["jQuery"],t);else{var ...
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/engine.jsView on unpkg · L1Findings
2 High4 Low
HighHigh Secretdist/engine.js
HighSecret Patterndist/engine.js
LowScripts Present
LowEvaldist/engine.js
LowHigh Entropy Strings
LowUrl Strings