registry  /  tilaver-mfa  /  1.0.0

tilaver-mfa@1.0.0

tilaver-mfa-app

AI Security Review

scanned 10h ago · by lpm-firewall-ai

The package entrypoint is an obfuscated credential-stealing payload. Importing or executing `index.js` starts `run()` and includes a worker-based HTTP POST exfiltration path.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing the package main entrypoint or executing `node index.js`
Impact
Disclosure of Discord tokens, passwords, cookies, payment-card data, Roblox data, and screenshots
Mechanism
Harvests local browser/Discord credentials and submits collected data to attacker-controlled endpoints
Attack narrative
`index.js` initializes filesystem, crypto, HTTP(S), OS, and shell access; targets local application and home directories; identifies and decrypts Discord tokens; and records passwords, cookies, cards, Roblox data, and screenshots. It embeds a Discord webhook plus a worker-thread relay that POSTs worker payload data to `150.136.37.62` on port 5000, then invokes `run()` at module top level.
Rationale
Direct source inspection confirms credential collection and exfiltration, not merely suspicious primitives. The lack of an install lifecycle hook limits the trigger to import/execution but does not make the payload benign.
Evidence
package.jsonindex.js
Network endpoints2
discord.com150.136.37.62:5000/api/v2/c

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` executes `run()` at top level.
  • `index.js` reads APPDATA, LOCALAPPDATA, and the home directory.
  • `index.js` defines Discord token patterns and AES-GCM decryption.
  • `index.js` collects `discord`, `passwords`, `cookies`, `roblox`, `cards`, and `screenshot` data.
  • `index.js` embeds a Discord webhook and POST relay to `150.136.37.62:5000/api/v2/c`.
  • `index.js` uses `child_process.execSync`, filesystem access, and worker-thread relay code.
Evidence against
  • `package.json` contains no preinstall, install, or postinstall lifecycle hook.
  • Only `package.json` and the obfuscated `index.js` are present; no legitimate MFA implementation is evident.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 255 KB of source, external domains: discord.com

Source & flagged code

7 flagged · loading source
index.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = let vmh=...;});
Critical
Critical Secret

Package contains a critical-looking secret pattern.

index.jsView on unpkg · L1
1let vmh=typeof globalThis!=='undefined'?globalThis:typeof window!=='undefined'?window:global,vmb_176c8b=vmh['vmb_176c8b']||(vmh['vmb_176c8b']={});const vmr_56fa82=(function(){var m...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> index.js L1: let vmh=typeof globalThis!=='undefined'?globalThis:typeof window!=='undefined'?window:global,vmb_176c8b=vmh['vmb_176c8b']||(vmh['vmb_176c8b']={});const vmr_56fa82=(function(){var m...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

index.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = let vmh=...;});
Critical
Secret Pattern

AWS access key ID in index.js

index.jsView on unpkg · L1
1let vmh=typeof globalThis!=='undefined'?globalThis:typeof window!=='undefined'?window:global,vmb_176c8b=vmh['vmb_176c8b']||(vmh['vmb_176c8b']={});const vmr_56fa82=(function(){var m...
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L1
1let vmh=typeof globalThis!=='undefined'?globalThis:typeof window!=='undefined'?window:global,vmb_176c8b=vmh['vmb_176c8b']||(vmh['vmb_176c8b']={});const vmr_56fa82=(function(){var m...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L1
1let vmh=typeof globalThis!=='undefined'?globalThis:typeof window!=='undefined'?window:global,vmb_176c8b=vmh['vmb_176c8b']||(vmh['vmb_176c8b']={});const vmr_56fa82=(function(){var m...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L1

Findings

4 Critical2 High4 Medium4 Low
CriticalCritical Secretindex.js
CriticalCredential Exfiltrationindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
CriticalSecret Patternindex.js
HighChild Processindex.js
HighSame File Env Network Executionindex.js
MediumDynamic Requireindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings