@ibrahim1337/baksen @2.0.3

Summary

Package @ibrahim1337/baksen@2.0.3 is a Windows x64 browser credential stealer. The entry point loads bytenode and executes the V8-bytecode-compiled index.jsc , which detects installed Chromium-family browsers (Chrome, Brave, Edge), terminates the browser processes via taskkill /F /IM to release database locks, reads each browser's Local State to extract the app_bound_encrypted_key , then invokes a shipped native Windows addon at build/Release/debugelevator.node to perform an App-Bound Encryption bypass via a debug session against the browser process. The decrypted master key is then used to read each browser profile's Cookies and Login Data SQLite databases ( SELECT encrypted_value FROM cookies , SELECT origin_url, username_value, password_value FROM logins ) and write cleartext cookies and saved passwords to local _cookies/ and _passwords/ directories. The package ships no C/C++ source and no binding.gyp — the 676 KB prebuilt .node binary exists solely to defeat Chromium App-Bound Encryption. A companion src/license.jsc is js-confuser obfuscated (numeric string-array, control-flow flattening, base64 decoders) and constructs a remote license-check URL, further hiding behavior from source review. The package has no README, repository is a placeholder ( yourusername ), and the description is just baksen — cover-story metadata for a credential-theft toolkit. Installing and running this package on Windows results in theft of the developer's browser cookies (live session tokens) and saved website passwords.

Source: amazon-inspector (3594b83aa12e5ab4985211494b6b6f73f6def91aae1210e0ae55f28e572d79a8)