registry  /  ratelimitsucks5  /  2.0.0

ratelimitsucks5@2.0.0

Republished package

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The HTML entry automatically executes arbitrary third-party JavaScript from an unpinned remote host. Its bundled runtime installs a service worker and routes browser traffic through a configured WebSocket proxy.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
A user opens or serves the package's declared `index.html` entry.
Impact
Remote host operators can run code in the page origin and alter routed browser requests at runtime.
Mechanism
Remote script execution plus service-worker-backed browser traffic interception/proxying.
Attack narrative
When the package's declared HTML entry is opened, it automatically loads and executes a remote script from `c.vipersfutbol.com`, whose contents are not pinned or present in the package. The bundled code is additionally obfuscated, uses runtime code construction, registers a service worker, and configures routing through a remote WebSocket proxy. This creates a concrete remote-code and browser-traffic control surface without user consent.
Rationale
This is not a normal executable npm library: its HTML entry silently imports unrelated remote code and establishes browser interception/proxy infrastructure. The absence of install hooks does not mitigate the runtime remote-code execution path.
Evidence
index.htmlassets/index-CJm_PfL2.jsassets/boot-CVPGRFHh.jsj6k3y8.jsct1tl/jmqwjq.jsct1tl/pap3do.jsbfjdx/757lr8.jspackage.json
Network endpoints3
c.vipersfutbol.com/script.jswww.googletagmanager.com/gtag/js?id=G-0VL3ZSBXDHwss://21baseballacademy.com/fairs/

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.html` automatically loads unpinned remote code from `https://c.vipersfutbol.com/script.js`.
  • `assets/index-CJm_PfL2.js` is heavily obfuscated and constructs code with `new Function(...)`.
  • `assets/boot-CVPGRFHh.js` registers `j6k3y8.js` as a service worker at runtime.
  • `j6k3y8.js` and `ct1tl/jmqwjq.js` claim clients and intercept routed fetch requests.
  • `assets/boot-CVPGRFHh.js` configures a proxy WebSocket endpoint at `wss://21baseballacademy.com/fairs/`.
  • No package lifecycle hook is needed: opening the declared HTML entry triggers the remote loader.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or `prepare` scripts.
  • No Node filesystem, shell, environment-harvesting, or native executable usage was found in inspected sources.
  • The bundled proxy/service-worker code has an apparent web-proxy purpose, but it does not justify the unrelated remote script loader.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 24 file(s), 7.27 MB of source, external domains: 127.0.0.1, aomediacodec.github.io, cdn.jsdelivr.net, cloud-api.livekit.io, curl.se, emscripten.org, fingerprint.com, github.com, m1.openfpcdn.io, react.dev, sj-cache.invalid, twemoji.maxcdn.com, www.w3.org, www.zlib.net

Source & flagged code

9 flagged · loading source
assets/proxy-runtime-1NyFshf9.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = var OQ=O...B+=`
Critical
Secret Pattern

AWS access key ID in assets/proxy-runtime-1NyFshf9.js

assets/proxy-runtime-1NyFshf9.jsView on unpkg · L1
bfjdx/757lr8.jsView file
17L18: //# sourceURL=${A}`)();n=c,o=l}else n=g.z$,o=g.Mt;r.construct&&(l.construct=function(e,t,i){let n,s=!1,a={fn:e,this:null,args:t,newTarget:i,return:e=>{s=!0,n=e},call:()=>(s=!0,n=o(... L19: //# sourceURL=${r.url.href}`),n}return o.body;case"style":return(0,i.sM)(await o.text(),e.context,r.meta);case"sharedworker":case"worker":return(0,i.iP)(new Uint8Array(await o.arra...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bfjdx/757lr8.jsView on unpkg · L17
assets/ChatPage-zoA8Z6RX.jsView file
1(function(_0x31bba3,_0x379132){const _0x159e7b={_0x26fc34:0x358,_0x56fc24:0x70c,_0x216b69:0x578,_0x22d6fc:0x60b,_0x33af41:0x2a6,_0x514b56:0x7f9,_0x4ccc4c:0x9d1,_0x35dd24:0xfdf,_0x1...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

assets/ChatPage-zoA8Z6RX.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = 2d82bc066e3c546d signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = nottuff1@2.0.0 matchedPath = assets/ChatPage-zoA8Z6RX.js matchedIdentity = npm:bm90dHVmZjE:2.0.0 similarity = 1.000 shingleOverlap = 14 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

assets/ChatPage-zoA8Z6RX.jsView on unpkg
bfjdx/w7m632.wasmView file
path = bfjdx/w7m632.wasm kind = wasm_module sizeBytes = 586279 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

bfjdx/w7m632.wasmView on unpkg
assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
assets/fingerprint-Y5nV5FVa.jsView file
matchType = normalized_sha256 matchedPackage = nottuff1@2.0.0 matchedPath = assets/fingerprint-Y5nV5FVa.js matchedIdentity = npm:bm90dHVmZjE:2.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

assets/fingerprint-Y5nV5FVa.jsView on unpkg
assets/livekit-C0E_jLSz.jsView file
13patternName = generic_password severity = medium line = 13 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Hardcoded password in assets/livekit-C0E_jLSz.js

assets/livekit-C0E_jLSz.jsView on unpkg · L13

Findings

2 Critical5 High6 Medium4 Low
CriticalCritical Secretassets/proxy-runtime-1NyFshf9.js
CriticalSecret Patternassets/proxy-runtime-1NyFshf9.js
HighObfuscated Payload Loaderassets/ChatPage-zoA8Z6RX.js
HighObfuscated
HighShips High Entropy Blobassets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighKnown Malware Source Similarityassets/fingerprint-Y5nV5FVa.js
HighKnown Malware Source Fingerprint Signatureassets/ChatPage-zoA8Z6RX.js
MediumDynamic Requirebfjdx/757lr8.js
MediumNetwork
MediumProtestware
MediumShips Wasm Modulebfjdx/w7m632.wasm
MediumStructural Risk Force Deep Review
MediumSecret Patternassets/livekit-C0E_jLSz.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License