registry  /  konnektive-one  /  1.0.1

konnektive-one@1.0.1

Konnektive / CheckoutChamp checkout engine — single-bundle (jQuery + sweetalert2). Load dist/engine.js with a data-config attribute pointing at your OPconfig.js.

AI Security Review

scanned 8h ago · by lpm-firewall-ai

The bundled browser script contains protestware that disrupts pages for Russian-language users on targeted TLDs. It persists a localStorage timestamp, then disables page interaction and plays remote audio after a delay window.

Static reason
One or more suspicious static signals were detected.
Trigger
Loading dist/engine.js in a browser matching ru language and targeted host TLD after the localStorage delay
Impact
Affected storefront pages can become unusable and play unsolicited remote audio.
Mechanism
protestware page disruption in bundled dependency code
Attack narrative
When the package's main browser bundle loads, embedded SweetAlert2 code checks navigator.language and the page host. On matching Russian-language users and targeted TLDs, it records a localStorage timestamp; after the delay threshold, it disables body pointer events and appends a looping audio element sourced from flag-gimn.ru. This is non-consensual runtime disruption unrelated to checkout behavior.
Rationale
Static inspection confirms concrete protestware in the shipped main bundle, despite otherwise package-aligned checkout API behavior and no install hook. Because the code can intentionally degrade consumer sites for a targeted user/host class, this is malicious rather than a noisy scanner hit.
Evidence
package.jsondist/engine.jsreadme.mdlocalStorage:swal-initiationdocument.bodyinjected audio element
Network endpoints1
flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3

Decision evidence

public snapshot
AI called this Malicious at 92.0% confidence as Malware with low false-positive risk.
Evidence for block
  • dist/engine.js bundles SweetAlert2 code that checks Russian browser language and .ru/.su/.by/xn--p1ai hosts.
  • dist/engine.js stores localStorage key swal-initiation and after 3 days disables document.body pointer events.
  • dist/engine.js injects looping audio from https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3.
  • Behavior is import/runtime activated in the browser, not limited to a documented user-invoked feature.
Evidence against
  • package.json has no npm lifecycle hooks or bin entries.
  • Main package functionality is a checkout engine with Konnektive/CheckoutChamp API calls.
  • Scanner secret hint appears to be test card numbers/config values, not hardcoded credentials.
  • No child_process, filesystem writes, native binaries, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessEval
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 322 KB of source, external domains: app.datashuttle.co, conversiontracking.campaigner.com, flag-gimn.ru, github.com, gt42vlw5wpgmiavk2np7ik5vri0dcfqr.lambda-url.us-east-1.on.aws, lambda.token-fetch-envisia.com, maps.googleapis.com, ssl.kaptcha.com, sweetalert2.github.io, tools.usps.com, www.fedex.com, www.ups.com, yt5s43ksmu37b2ae3ntnz2ffku0mfyme.lambda-url.us-east-1.on.aws

Source & flagged code

3 flagged · loading source
dist/engine.jsView file
1patternName = google_api_key severity = high line = 1 matchedText = !functio...)));
High
High Secret

Package contains a high-severity secret pattern.

dist/engine.jsView on unpkg · L1
1patternName = google_api_key severity = high line = 1 matchedText = !functio...)));
High
Secret Pattern

Google API key in dist/engine.js

dist/engine.jsView on unpkg · L1
1!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t(require("jQuery"));else if("function"==typeof define&&define.amd)define(["jQuery"],t);else{var ...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/engine.jsView on unpkg · L1

Findings

2 High4 Low
HighHigh Secretdist/engine.js
HighSecret Patterndist/engine.js
LowScripts Present
LowEvaldist/engine.js
LowHigh Entropy Strings
LowUrl Strings