registry  /  nottuff14  /  2.0.0

nottuff14@2.0.0

Republished package

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Opening the package's declared HTML entrypoint fetches and executes attacker-controlled remote JavaScript. Bundled proxy/service-worker components can route browser requests and synchronize cookies when activated by the application.

Static reason
One or more suspicious static signals were detected.
Trigger
A user opens `index.html` or serves the package as a web app.
Impact
The remote host can execute arbitrary JavaScript in the page origin and access data available to that browser application.
Mechanism
Unpinned third-party script execution with browser proxy runtime.
Attack narrative
The declared entrypoint is an HTML application that automatically loads JavaScript from `c.vipersfutbol.com`; the package does not pin, verify, or bundle that code. Whoever controls that endpoint can change the payload after publication and execute it whenever the app is opened. The package also ships obfuscated browser bundles and a service-worker/proxy stack that supports request routing and cookie synchronization, increasing the impact of executing an unreviewable remote payload.
Rationale
This is not merely a static hint: direct source inspection confirms an unconditional remote script execution path from the declared entrypoint. The lack of npm lifecycle hooks limits install-time impact but does not remove the concrete browser-time remote-code-execution risk.
Evidence
package.jsonindex.htmlct1tl/pap3do.jsct1tl/csbzam.jsassets/proxy-runtime-1NyFshf9.jsassets/ChatPage-zoA8Z6RX.jsassets/index-CJm_PfL2.jsbfjdx/w7m632.wasm
Network endpoints2
c.vipersfutbol.com/script.jswww.googletagmanager.com/gtag/js?id=G-0VL3ZSBXDH

Decision evidence

public snapshot
AI called this Malicious at 90.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.html` unconditionally loads `https://c.vipersfutbol.com/script.js`.
  • `index.html` is the declared `main` entrypoint.
  • `assets/ChatPage-zoA8Z6RX.js` and `assets/index-CJm_PfL2.js` are heavily obfuscated.
  • `ct1tl/pap3do.js` implements proxy/service-worker cookie and request routing.
  • `assets/proxy-runtime-1NyFshf9.js` loads a bundled WebAssembly network runtime.
Evidence against
  • `package.json` contains no preinstall, install, or postinstall hook.
  • No Node filesystem, environment harvesting, or child-process behavior was found in the inspected entry path.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 24 file(s), 7.27 MB of source, external domains: 127.0.0.1, aomediacodec.github.io, cdn.jsdelivr.net, cloud-api.livekit.io, curl.se, emscripten.org, fingerprint.com, github.com, m1.openfpcdn.io, react.dev, sj-cache.invalid, twemoji.maxcdn.com, www.w3.org, www.zlib.net

Source & flagged code

7 flagged · loading source
assets/proxy-runtime-1NyFshf9.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Secret Pattern

AWS access key ID in assets/proxy-runtime-1NyFshf9.js

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
bfjdx/757lr8.jsView file
17L18: //# sourceURL=${A}`)();n=c,o=l}else n=g.z$,o=g.Mt;r.construct&&(l.construct=function(e,t,i){let n,s=!1,a={fn:e,this:null,args:t,newTarget:i,return:e=>{s=!0,n=e},call:()=>(s=!0,n=o(... L19: //# sourceURL=${r.url.href}`),n}return o.body;case"style":return(0,i.sM)(await o.text(),e.context,r.meta);case"sharedworker":case"worker":return(0,i.iP)(new Uint8Array(await o.arra...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bfjdx/757lr8.jsView on unpkg · L17
assets/ChatPage-zoA8Z6RX.jsView file
1(function(_0x31bba3,_0x379132){const _0x159e7b={_0x26fc34:0x358,_0x56fc24:0x70c,_0x216b69:0x578,_0x22d6fc:0x60b,_0x33af41:0x2a6,_0x514b56:0x7f9,_0x4ccc4c:0x9d1,_0x35dd24:0xfdf,_0x1...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

assets/ChatPage-zoA8Z6RX.jsView on unpkg · L1
bfjdx/w7m632.wasmView file
path = bfjdx/w7m632.wasm kind = wasm_module sizeBytes = 586279 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

bfjdx/w7m632.wasmView on unpkg
assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
assets/livekit-C0E_jLSz.jsView file
13patternName = generic_password severity = medium line = 13 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Hardcoded password in assets/livekit-C0E_jLSz.js

assets/livekit-C0E_jLSz.jsView on unpkg · L13

Findings

2 Critical3 High6 Medium4 Low
CriticalCritical Secretassets/proxy-runtime-1NyFshf9.js
CriticalSecret Patternassets/proxy-runtime-1NyFshf9.js
HighObfuscated Payload Loaderassets/ChatPage-zoA8Z6RX.js
HighObfuscated
HighShips High Entropy Blobassets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumDynamic Requirebfjdx/757lr8.js
MediumNetwork
MediumProtestware
MediumShips Wasm Modulebfjdx/w7m632.wasm
MediumStructural Risk Force Deep Review
MediumSecret Patternassets/livekit-C0E_jLSz.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License