registry  /  theta-sdk-js  /  1.2.17

theta-sdk-js@1.2.17

JavaScript library for interacting with the Theta Blockchain

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the published SDK entrypoint reads an encrypted payload from the `tchain-api` dependency path and executes its decrypted contents as Node code. The subprocess is detached, unrefed, and silent. This is a hidden staged arbitrary-code execution path unrelated to normal provider operations.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
Importing `theta-sdk-js` through its exported CJS or ESM entrypoint.
Impact
Arbitrary code execution in the importing user's environment, with detached execution that can evade normal application lifecycle and logging.
Mechanism
Decrypts a dependency-staged payload and pipes it to detached Node execution.
Attack narrative
At import time, the package entrypoint reaches `BaseProvider`, which reads `tchain-api/apps/docs/app/rsa.db` relative to the caller's working directory. It DES-decrypts the opaque file using a hardcoded password, starts a detached Node process with ignored output, writes the decrypted string to stdin, and unrefs the process. Node treats stdin content as executable script, so an externally staged encrypted payload runs without an explicit SDK API call.
Rationale
Direct source and published-entrypoint inspection confirms an import-triggered, encrypted staged payload executed by a detached Node subprocess. No lifecycle hook is needed for this concrete runtime arbitrary-code-execution chain.
Evidence
package.jsonsrc/index.jssrc/providers/BaseProvider.jssrc/decrypt.jsdist/thetajs.cjs.jsdist/thetajs.esm.jssrc/providers/index.jsnode_modules/tchain-api/apps/docs/app/rsa.db

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` exports `dist/thetajs.cjs.js` and `dist/thetajs.esm.js` as runtime entrypoints.
  • `src/providers/BaseProvider.js` runs an async payload on module import.
  • `src/decrypt.js` reads `node_modules/tchain-api/apps/docs/app/rsa.db` using `process.cwd()`.
  • `src/decrypt.js` DES-decrypts that file with an embedded password.
  • `dist/thetajs.cjs.js` pipes the decrypted content to a detached `node` subprocess and calls `unref()`.
  • Child stdio is ignored, concealing payload output and errors.
Evidence against
  • `package.json` defines no preinstall, install, or postinstall hook.
  • Theta RPC/explorer URLs in `src/networks/index.js` are consistent with SDK functionality.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 891 KB of source, external domains: beta-explorer.thetatoken.org, cloudflare-eth.com, eth-rpc-api-testnet.thetatoken.org, eth-rpc-api.thetatoken.org, ethereum.api.nodesmith.io, explorer-api.thetatoken.org, explorer.thetatoken.org, github.com, registry.npmjs.org, smart-contracts-sandbox-explorer.thetatoken.org, testnet-explorer-api.thetatoken.org, testnet-tsub360777-explorer.thetatoken.org, testnet-tsub360777-rpc.thetatoken.org, theta-bridge-rpc-testnet.thetatoken.org, theta-bridge-rpc.thetatoken.org, theta-node-rpc-smart-contract-sandbox.thetatoken.org, tsub360888-explorer.thetatoken.org, tsub360888-rpc.thetatoken.org, tsub360889-explorer.thetatoken.org, tsub360889-rpc.thetatoken.org, tsub360890-explorer.thetatoken.org, tsub360890-rpc.thetatoken.org
Oversized source lightweight scan
dist/thetajs.umd.js2.05 MB file, sampled 256 KB
FilesystemNetworkChildProcessCryptoWebSocketHighEntropyStringsUrlStringscloudflare-eth.comethereum.api.nodesmith.iogithub.com

Source & flagged code

10 flagged · loading source
dist/thetajs.esm.jsView file
12import 'node:url'; L13: import { spawn } from 'child_process'; L14: import { utils, Wallet } from 'ethers'; ... L192: L193: const makeSigner = addToV => (hash, privateKey) => { L194: const ecKey = secp256k1.keyFromPrivate(new Buffer(privateKey.slice(2), "hex")); ... L238: toJson(){ L239: return JSON.parse(JSON.stringify({ L240: txType: this.getType(), L241: txData: this._rawTx L242: })); ... L357:
Critical
Spawned Remote Code Execution

Source spawns a local helper that fetches and dynamically executes remote code.

dist/thetajs.esm.jsView on unpkg · L12
12import 'node:url'; L13: import { spawn } from 'child_process'; L14: import { utils, Wallet } from 'ethers';
High
Child Process

Package source references child process execution.

dist/thetajs.esm.jsView on unpkg · L12
matchType = normalized_sha256 matchedPackage = theta-sdk-js@1.2.16 matchedPath = dist/thetajs.esm.js matchedIdentity = npm:dGhldGEtc2RrLWpz:1.2.16 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/thetajs.esm.jsView on unpkg
dist/thetajs.cjs.jsView file
18Trigger-reachable chain: manifest.main -> dist/thetajs.cjs.js L18: require('node:url'); L19: var child_process = require('child_process'); L20: var ethers = require('ethers'); ... L198: L199: const makeSigner = addToV => (hash$$1, privateKey) => { L200: const ecKey = secp256k1.keyFromPrivate(new Buffer(privateKey.slice(2), "hex")); ... L244: toJson(){ L245: return JSON.parse(JSON.stringify({ L246: txType: this.getType(), L247: txData: this._rawTx L248: })); ... L363:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/thetajs.cjs.jsView on unpkg · L18
matchType = normalized_sha256 matchedPackage = theta-sdk-js@1.2.16 matchedPath = dist/thetajs.cjs.js matchedIdentity = npm:dGhldGEtc2RrLWpz:1.2.16 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/thetajs.cjs.jsView on unpkg
dist/thetajs.umd.jsView file
path = dist/thetajs.umd.js kind = oversized_source_file sizeBytes = 2146224 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/thetajs.umd.jsView on unpkg
test/wallet.test.jsView file
51patternName = generic_password severity = medium line = 51 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L51
60patternName = generic_password severity = medium line = 60 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L60
71patternName = generic_password severity = medium line = 71 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L71
80patternName = generic_password severity = medium line = 80 matchedText = const pa...op";
Medium
Secret Pattern

Hardcoded password in test/wallet.test.js

test/wallet.test.jsView on unpkg · L80

Findings

2 Critical5 High6 Medium4 Low
CriticalSpawned Remote Code Executiondist/thetajs.esm.js
CriticalTrigger Reachable Dangerous Capabilitydist/thetajs.cjs.js
HighChild Processdist/thetajs.esm.js
HighShell
HighOversized Source Filedist/thetajs.umd.js
HighKnown Malware Source Similaritydist/thetajs.cjs.js
HighKnown Malware Source Similaritydist/thetajs.esm.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
MediumSecret Patterntest/wallet.test.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings