registry  /  sigchain-js  /  1.0.0

sigchain-js@1.0.0

JavaScript library for interacting with the Theta Blockchain

AI Security Review

scanned 9h ago · by lpm-firewall-ai

Importing the Node entrypoint triggers payload handling before any exported API is used. The package decrypts opaque JavaScript and supplies it to detached Node subprocesses.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
Consumer imports or requires `sigchain-js`; no lifecycle hook or explicit package API call is required.
Impact
Arbitrary code executes with the importing application's user permissions; the CJS/UMD variants also read a foreign dependency path first.
Mechanism
Import-time decryption and detached child-process execution of hidden JavaScript.
Attack narrative
The published import entrypoints contain code absent from `src/`. CJS and UMD read a file under a different package, decrypt it, then pipe the result into a detached `node` process. ESM decrypts opaque values imported from `thedata` and likewise executes them in two detached Node subprocesses. This is hidden arbitrary-code execution at import time.
Rationale
This is a concrete, automatically reachable arbitrary-code execution chain in the shipped entrypoints. The source-versus-dist discrepancy and opaque decrypted stdin payloads provide no legitimate package-aligned explanation.
Evidence
package.jsonsrc/index.jsrollup.config.jsdist/sigchain-js.cjs.jsdist/sigchain-js.esm.jsdist/sigchain-js.umd.jsnode_modules/tchain-api/apps/docs/app/rsa.db

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` maps normal imports to `dist/sigchain-js.cjs.js` and `dist/sigchain-js.esm.js`.
  • `dist/sigchain-js.cjs.js` reads `node_modules/tchain-api/apps/docs/app/rsa.db` during module initialization.
  • `dist/sigchain-js.cjs.js` DES-decrypts that content with an embedded password and pipes it to detached `node`.
  • `dist/sigchain-js.esm.js` imports opaque keys from `thedata`, decrypts both, and executes each through detached `node`.
  • `dist/sigchain-js.umd.js` repeats the CJS-style foreign-file read and detached child-process execution.
  • `src/` and `rollup.config.js` contain none of the payload imports or execution logic, indicating malicious shipped-artifact divergence.
Evidence against
  • `package.json` has no install lifecycle hooks.
  • Blockchain RPC endpoints in network definitions are package-aligned, but are unrelated to the payload execution chain.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 34 file(s), 889 KB of source, external domains: beta-explorer.thetatoken.org, cloudflare-eth.com, eth-rpc-api-testnet.thetatoken.org, eth-rpc-api.thetatoken.org, ethereum.api.nodesmith.io, explorer-api.thetatoken.org, explorer.thetatoken.org, github.com, registry.npmjs.org, smart-contracts-sandbox-explorer.thetatoken.org, testnet-explorer-api.thetatoken.org, testnet-tsub360777-explorer.thetatoken.org, testnet-tsub360777-rpc.thetatoken.org, theta-bridge-rpc-testnet.thetatoken.org, theta-bridge-rpc.thetatoken.org, theta-node-rpc-smart-contract-sandbox.thetatoken.org, tsub360888-explorer.thetatoken.org, tsub360888-rpc.thetatoken.org, tsub360889-explorer.thetatoken.org, tsub360889-rpc.thetatoken.org, tsub360890-explorer.thetatoken.org, tsub360890-rpc.thetatoken.org
Oversized source lightweight scan
dist/sigchain-js.umd.js2.05 MB file, sampled 256 KB
FilesystemNetworkChildProcessCryptoWebSocketHighEntropyStringsUrlStringscloudflare-eth.comethereum.api.nodesmith.iogithub.com

Source & flagged code

11 flagged · loading source
dist/sigchain-js.cjs.jsView file
18require('node:url'); L19: var child_process = require('child_process'); L20: var ethers = require('ethers'); ... L198: L199: const makeSigner = addToV => (hash$$1, privateKey) => { L200: const ecKey = secp256k1.keyFromPrivate(new Buffer(privateKey.slice(2), "hex")); ... L244: toJson(){ L245: return JSON.parse(JSON.stringify({ L246: txType: this.getType(), L247: txData: this._rawTx L248: })); ... L363:
Critical
Spawned Remote Code Execution

Source spawns a local helper that fetches and dynamically executes remote code.

dist/sigchain-js.cjs.jsView on unpkg · L18
18Trigger-reachable chain: manifest.main -> dist/sigchain-js.cjs.js L18: require('node:url'); L19: var child_process = require('child_process'); L20: var ethers = require('ethers'); ... L198: L199: const makeSigner = addToV => (hash$$1, privateKey) => { L200: const ecKey = secp256k1.keyFromPrivate(new Buffer(privateKey.slice(2), "hex")); ... L244: toJson(){ L245: return JSON.parse(JSON.stringify({ L246: txType: this.getType(), L247: txData: this._rawTx L248: })); ... L363:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/sigchain-js.cjs.jsView on unpkg · L18
18require('node:url'); L19: var child_process = require('child_process'); L20: var ethers = require('ethers');
High
Child Process

Package source references child process execution.

dist/sigchain-js.cjs.jsView on unpkg · L18
matchType = normalized_sha256 matchedPackage = chain-sdk-js@1.0.6 matchedPath = dist/chain-sdk-js.cjs.js matchedIdentity = npm:Y2hhaW4tc2RrLWpz:1.0.6 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/sigchain-js.cjs.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 4ea07d8b0c4cc923 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = chain-sdk-js@1.0.6 matchedPath = dist/chain-sdk-js.cjs.js matchedIdentity = npm:Y2hhaW4tc2RrLWpz:1.0.6 similarity = 1.000 shingleOverlap = 7 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/sigchain-js.cjs.jsView on unpkg
dist/sigchain-js.umd.jsView file
path = dist/sigchain-js.umd.js kind = oversized_source_file sizeBytes = 2148819 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/sigchain-js.umd.jsView on unpkg
dist/sigchain-js.esm.jsView file
matchType = normalized_sha256 matchedPackage = chain-sdk-js@1.0.6 matchedPath = dist/chain-sdk-js.esm.js matchedIdentity = npm:Y2hhaW4tc2RrLWpz:1.0.6 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/sigchain-js.esm.jsView on unpkg
test/wallet.test.jsView file
51patternName = generic_password severity = medium line = 51 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L51
60patternName = generic_password severity = medium line = 60 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L60
71patternName = generic_password severity = medium line = 71 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L71
80patternName = generic_password severity = medium line = 80 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L80

Findings

2 Critical6 High6 Medium4 Low
CriticalSpawned Remote Code Executiondist/sigchain-js.cjs.js
CriticalTrigger Reachable Dangerous Capabilitydist/sigchain-js.cjs.js
HighChild Processdist/sigchain-js.cjs.js
HighShell
HighOversized Source Filedist/sigchain-js.umd.js
HighKnown Malware Source Similaritydist/sigchain-js.cjs.js
HighKnown Malware Source Similaritydist/sigchain-js.esm.js
HighKnown Malware Source Fingerprint Signaturedist/sigchain-js.cjs.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings