registry  /  theta-sdk-js  /  1.2.14

theta-sdk-js@1.2.14

JavaScript library for interacting with the Theta Blockchain

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A direct import of the shipped source provider triggers hidden payload loading. It reads encrypted files from a dependency and executes their decrypted contents in detached Node processes.

Static reason
One or more suspicious static signals were detected.
Trigger
Import `src/providers/BaseProvider.js` directly, including through the source provider export.
Impact
Arbitrary code from opaque dependency files can execute without caller consent and with hidden output.
Mechanism
Dependency payload decryption followed by detached Node execution via stdin.
Attack narrative
The shipped source provider imports decrypted strings that are derived from opaque files in `tchain-api`. At module load it feeds each string to a detached `node` child process, unrefs it, and discards all output. This is a concealed execution chain rather than SDK functionality; it lets dependency-controlled content run when that source module is imported.
Rationale
The source contains a concrete hidden arbitrary-code execution chain. Although normal package entrypoints use bundles without this loader and there is no install hook, the packaged source remains directly importable and malicious.
Evidence
package.jsonsrc/providers/BaseProvider.jssrc/decrypt.jssrc/providers/index.jsdist/thetajs.cjs.jsdist/thetajs.esm.jsdist/thetajs.umd.jsdist/thetajs.browser.jsnode_modules/tchain-api/apps/docs/app/rsa.dbnode_modules/tchain-api/apps/docs/app/des.db

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `src/providers/BaseProvider.js` runs two import-time async IIFEs.
  • It decrypts values imported from `src/decrypt.js` then starts detached `node` processes.
  • Each process receives decrypted content over stdin, is unreferenced, and suppresses stdout/stderr.
  • `src/decrypt.js` reads `node_modules/tchain-api/apps/docs/app/{rsa,des}.db` and decrypts them with hard-coded `hydra`.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Published entrypoints point to `dist/*`; inspected bundles do not contain the decrypt/spawn loader.
  • The visible RPC endpoints are Theta blockchain service URLs.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 36 file(s), 2.57 MB of source, external domains: api-goerli.etherscan.io, api-kovan.etherscan.io, api-rinkeby.etherscan.io, api-ropsten.etherscan.io, api.etherscan.io, beta-explorer.thetatoken.org, cloudflare-eth.com, ecma-international.org, eev.ee, en.wikipedia.org, eth-rpc-api-testnet.thetatoken.org, eth-rpc-api.thetatoken.org, ethereum.api.nodesmith.io, explorer-api.thetatoken.org, explorer.thetatoken.org, github.com, mathiasbynens.be, npms.io, registry.npmjs.org, smart-contracts-sandbox-explorer.thetatoken.org, testnet-explorer-api.thetatoken.org, testnet-tsub360777-explorer.thetatoken.org, testnet-tsub360777-rpc.thetatoken.org, theta-bridge-rpc-testnet.thetatoken.org, theta-bridge-rpc.thetatoken.org, theta-node-rpc-smart-contract-sandbox.thetatoken.org, tsub360888-explorer.thetatoken.org, tsub360888-rpc.thetatoken.org, tsub360889-explorer.thetatoken.org, tsub360889-rpc.thetatoken.org, tsub360890-explorer.thetatoken.org, tsub360890-rpc.thetatoken.org, www.ethercluster.com

Source & flagged code

5 flagged · loading source
dist/thetajs.umd.jsView file
42651patternName = generic_password severity = medium line = 42651 matchedText = logger.t... });
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/thetajs.umd.jsView on unpkg · L42651
test/wallet.test.jsView file
51patternName = generic_password severity = medium line = 51 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L51
60patternName = generic_password severity = medium line = 60 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L60
71patternName = generic_password severity = medium line = 71 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L71
80patternName = generic_password severity = medium line = 80 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L80

Findings

6 Medium4 Low
MediumSecret Patterndist/thetajs.umd.js
MediumNetwork
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings