registry  /  sigchain-js  /  1.0.1

sigchain-js@1.0.1

JavaScript library for interacting with the Theta Blockchain

AI Security Review

scanned 8h ago · by lpm-firewall-ai

Importing either Node entrypoint activates a hidden payload. The CJS build targets a foreign dependency file; the ESM build executes decrypted content supplied by `thedata`.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
Runtime import of the package through its ESM or CommonJS entrypoint.
Impact
Arbitrary local code execution in the importing application's environment; the CJS path also reads a file from another installed package.
Mechanism
Top-level decryption and detached Node execution of hidden payload code.
Attack narrative
On import, the ESM artifact decrypts `thedata`'s `desKey` and sends the plaintext to a detached Node process. Separately, the CJS artifact reads an encrypted `rsa.db` from the unrelated `tchain-api` package, decrypts it with a hard-coded password, and executes the result through detached Node. These behaviors are absent from the package source and build configuration, so the distributed entrypoint artifacts contain an injected arbitrary-code execution chain.
Rationale
Confirmed top-level detached-process execution of decrypted hidden content is concrete arbitrary code execution, not a package-aligned blockchain capability. The mismatch between source and published entry artifacts strengthens the conclusion of malicious tampering.
Evidence
package.jsonrollup.config.jssrc/index.jsdist/sigchain-js.esm.jsdist/sigchain-js.cjs.jsnode_modules/tchain-api/apps/docs/app/rsa.db

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/sigchain-js.esm.js` imports `desKey` from `thedata`, decrypts it, and runs it with detached `node`.
  • `dist/sigchain-js.cjs.js` reads `node_modules/tchain-api/apps/docs/app/rsa.db`, decrypts it with hard-coded `hydra`, then pipes it to detached `node`.
  • Both payloads run in top-level async IIFEs during module initialization; no user API call is required.
  • `src/` and `rollup.config.js` contain neither the payload logic nor its imports, indicating malicious compiled-artifact injection.
Evidence against
  • `package.json` defines no install, preinstall, or postinstall lifecycle hook.
  • No concrete network endpoint is present in the confirmed injected execution chain.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 34 file(s), 889 KB of source, external domains: beta-explorer.thetatoken.org, cloudflare-eth.com, eth-rpc-api-testnet.thetatoken.org, eth-rpc-api.thetatoken.org, ethereum.api.nodesmith.io, explorer-api.thetatoken.org, explorer.thetatoken.org, github.com, registry.npmjs.org, smart-contracts-sandbox-explorer.thetatoken.org, testnet-explorer-api.thetatoken.org, testnet-tsub360777-explorer.thetatoken.org, testnet-tsub360777-rpc.thetatoken.org, theta-bridge-rpc-testnet.thetatoken.org, theta-bridge-rpc.thetatoken.org, theta-node-rpc-smart-contract-sandbox.thetatoken.org, tsub360888-explorer.thetatoken.org, tsub360888-rpc.thetatoken.org, tsub360889-explorer.thetatoken.org, tsub360889-rpc.thetatoken.org, tsub360890-explorer.thetatoken.org, tsub360890-rpc.thetatoken.org
Oversized source lightweight scan
dist/sigchain-js.umd.js2.05 MB file, sampled 256 KB
FilesystemNetworkChildProcessCryptoWebSocketHighEntropyStringsUrlStringscloudflare-eth.comethereum.api.nodesmith.iogithub.com

Source & flagged code

10 flagged · loading source
dist/sigchain-js.cjs.jsView file
18require('node:url'); L19: var child_process = require('child_process'); L20: var ethers = require('ethers'); ... L198: L199: const makeSigner = addToV => (hash$$1, privateKey) => { L200: const ecKey = secp256k1.keyFromPrivate(new Buffer(privateKey.slice(2), "hex")); ... L244: toJson(){ L245: return JSON.parse(JSON.stringify({ L246: txType: this.getType(), L247: txData: this._rawTx L248: })); ... L363:
Critical
Spawned Remote Code Execution

Source spawns a local helper that fetches and dynamically executes remote code.

dist/sigchain-js.cjs.jsView on unpkg · L18
18Trigger-reachable chain: manifest.main -> dist/sigchain-js.cjs.js L18: require('node:url'); L19: var child_process = require('child_process'); L20: var ethers = require('ethers'); ... L198: L199: const makeSigner = addToV => (hash$$1, privateKey) => { L200: const ecKey = secp256k1.keyFromPrivate(new Buffer(privateKey.slice(2), "hex")); ... L244: toJson(){ L245: return JSON.parse(JSON.stringify({ L246: txType: this.getType(), L247: txData: this._rawTx L248: })); ... L363:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/sigchain-js.cjs.jsView on unpkg · L18
18require('node:url'); L19: var child_process = require('child_process'); L20: var ethers = require('ethers');
High
Child Process

Package source references child process execution.

dist/sigchain-js.cjs.jsView on unpkg · L18
matchType = normalized_sha256 matchedPackage = sigchain-js@1.0.0 matchedPath = dist/sigchain-js.cjs.js matchedIdentity = npm:c2lnY2hhaW4tanM:1.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/sigchain-js.cjs.jsView on unpkg
dist/sigchain-js.umd.jsView file
path = dist/sigchain-js.umd.js kind = oversized_source_file sizeBytes = 2148819 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/sigchain-js.umd.jsView on unpkg
dist/sigchain-js.esm.jsView file
matchType = token_shingles matchedPackage = sigchain-js@1.0.0 matchedPath = dist/sigchain-js.esm.js matchedIdentity = npm:c2lnY2hhaW4tanM:1.0.0 similarity = 0.708 shingleOverlap = 34 summary = source token shingles overlapped finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/sigchain-js.esm.jsView on unpkg
test/wallet.test.jsView file
51patternName = generic_password severity = medium line = 51 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L51
60patternName = generic_password severity = medium line = 60 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L60
71patternName = generic_password severity = medium line = 71 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L71
80patternName = generic_password severity = medium line = 80 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L80

Findings

2 Critical5 High6 Medium4 Low
CriticalSpawned Remote Code Executiondist/sigchain-js.cjs.js
CriticalTrigger Reachable Dangerous Capabilitydist/sigchain-js.cjs.js
HighChild Processdist/sigchain-js.cjs.js
HighShell
HighOversized Source Filedist/sigchain-js.umd.js
HighKnown Malware Source Similaritydist/sigchain-js.cjs.js
HighKnown Malware Source Similaritydist/sigchain-js.esm.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings