registry  /  nottuff2  /  2.0.0

nottuff2@2.0.0

Republished package

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Opening the declared HTML entry immediately loads an unrelated remote script with arbitrary browser-code execution authority. The app also registers a service worker that can proxy selected browser requests through a remote WebSocket transport.

Static reason
One or more suspicious static signals were detected.
Trigger
User opens `index.html` or serves the package as its declared entrypoint.
Impact
Remote operators can execute code in the visitor's origin and potentially observe or alter proxied application traffic.
Mechanism
remote script execution plus service-worker-backed web proxy
Attack narrative
The package is presented as an npm package but declares an HTML page as its entrypoint. Loading that page executes a remote script from `c.vipersfutbol.com` without integrity pinning. Its bundled proxy bootstrap registers a service worker and routes selected requests through a WebSocket endpoint at `21baseballacademy.com`; the worker forwards request URLs, headers, and bodies to its controller. This is a concrete remote-code and traffic-interception surface, not merely an obfuscation signal.
Rationale
Source inspection confirms immediate third-party remote code loading and a service-worker proxy transport. No install hook is needed for the package to create a harmful runtime attack surface when its declared entrypoint is used.
Evidence
index.htmlassets/boot-CVPGRFHh.jsj6k3y8.jsct1tl/jmqwjq.jsassets/ChatPage-zoA8Z6RX.js
Network endpoints2
c.vipersfutbol.com/script.jswss://21baseballacademy.com/fairs/

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.html` executes remote `https://c.vipersfutbol.com/script.js` on page load.
  • `assets/boot-CVPGRFHh.js` registers `j6k3y8.js` service worker.
  • `ct1tl/jmqwjq.js` intercepts routed fetches and forwards request bodies/headers through its controller.
  • `assets/boot-CVPGRFHh.js` configures proxy WebSocket `wss://21baseballacademy.com/fairs/`.
  • `assets/ChatPage-zoA8Z6RX.js` is heavily obfuscated and implements username/password sign-in requests.
Evidence against
  • `package.json` has no npm lifecycle scripts.
  • No Node entrypoint or filesystem/child-process harvesting was found.
  • The KaTeX font blobs and WASM runtime are consistent with bundled browser assets.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 24 file(s), 7.27 MB of source, external domains: 127.0.0.1, aomediacodec.github.io, cdn.jsdelivr.net, cloud-api.livekit.io, curl.se, emscripten.org, fingerprint.com, github.com, m1.openfpcdn.io, react.dev, sj-cache.invalid, twemoji.maxcdn.com, www.w3.org, www.zlib.net

Source & flagged code

7 flagged · loading source
assets/proxy-runtime-1NyFshf9.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Secret Pattern

AWS access key ID in assets/proxy-runtime-1NyFshf9.js

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
bfjdx/757lr8.jsView file
17L18: //# sourceURL=${A}`)();n=c,o=l}else n=g.z$,o=g.Mt;r.construct&&(l.construct=function(e,t,i){let n,s=!1,a={fn:e,this:null,args:t,newTarget:i,return:e=>{s=!0,n=e},call:()=>(s=!0,n=o(... L19: //# sourceURL=${r.url.href}`),n}return o.body;case"style":return(0,i.sM)(await o.text(),e.context,r.meta);case"sharedworker":case"worker":return(0,i.iP)(new Uint8Array(await o.arra...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bfjdx/757lr8.jsView on unpkg · L17
assets/ChatPage-zoA8Z6RX.jsView file
1(function(_0x31bba3,_0x379132){const _0x159e7b={_0x26fc34:0x358,_0x56fc24:0x70c,_0x216b69:0x578,_0x22d6fc:0x60b,_0x33af41:0x2a6,_0x514b56:0x7f9,_0x4ccc4c:0x9d1,_0x35dd24:0xfdf,_0x1...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

assets/ChatPage-zoA8Z6RX.jsView on unpkg · L1
bfjdx/w7m632.wasmView file
path = bfjdx/w7m632.wasm kind = wasm_module sizeBytes = 586279 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

bfjdx/w7m632.wasmView on unpkg
assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
assets/livekit-C0E_jLSz.jsView file
13patternName = generic_password severity = medium line = 13 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Hardcoded password in assets/livekit-C0E_jLSz.js

assets/livekit-C0E_jLSz.jsView on unpkg · L13

Findings

2 Critical3 High6 Medium4 Low
CriticalCritical Secretassets/proxy-runtime-1NyFshf9.js
CriticalSecret Patternassets/proxy-runtime-1NyFshf9.js
HighObfuscated Payload Loaderassets/ChatPage-zoA8Z6RX.js
HighObfuscated
HighShips High Entropy Blobassets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumDynamic Requirebfjdx/757lr8.js
MediumNetwork
MediumProtestware
MediumShips Wasm Modulebfjdx/w7m632.wasm
MediumStructural Risk Force Deep Review
MediumSecret Patternassets/livekit-C0E_jLSz.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License