MAL-2026-6575

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3594b83aa12e5ab4985211494b6b6f73f6def91aae1210e0ae55f28e572d79a8) Package @ibrahim1337/baksen@2.0.3 is a Windows x64 browser credential stealer. The entry point loads bytenode and executes the V8-bytecode-compiled `index.jsc`, which detects installed Chromium-family browsers (Chrome, Brave, Edge), terminates the browser processes via `taskkill /F /IM` to release database locks, reads each browser's `Local State` to extract the `app_bound_encrypted_key`, then invokes a shipped native Windows addon at `build/Release/debugelevator.node` to perform an App-Bound Encryption bypass via a debug session against the browser process. The decrypted master key is then used to read each browser profile's `Cookies` and `Login Data` SQLite databases (`SELECT encrypted_value FROM cookies`, `SELECT origin_url, username_value, password_value FROM logins`) and write cleartext cookies and saved passwords to local `_cookies/` and `_passwords/` directories. The package ships no C/C++ source and no `binding.gyp` — the 676 KB prebuilt `.node` binary exists solely to defeat Chromium App-Bound Encryption. A companion `src/license.jsc` is js-confuser obfuscated (numeric string-array, control-flow flattening, base64 decoders) and constructs a remote license-check URL, further hiding behavior from source review. The package has no README, `repository` is a placeholder (`yourusername`), and the description is just `baksen` — cover-story metadata for a credential-theft toolkit. Installing and running this package on Windows results in theft of the developer's browser cookies (live session tokens) and saved website passwords.