web-reverse-env

The module is a runtime WebRTC patcher/mock that broadly overrides global WebRTC APIs and includes an optional feature to emit seeded ICE candidates via icecandidate events. While the fragment shows no direct network exfiltration or classic malware behaviors, the combination of global API tampering and configurable ICE-candidate event emission creates a meaningful privacy/security risk if seed inputs are sensitive or controlled by an untrusted party. Risk is moderate-to-high for privacy and application integrity, low for confirmed malware, and confidence is limited because helper functions and full patch context are not shown.

This module is security-relevant primarily because it generates runtime patch code that directly sets cookies from a configurable seed (`document.cookie = seed.cookie`). If the seed is attacker-controlled or influenced by untrusted input, this could enable session/state manipulation or tracking via cookie overwrites. The fragment does not show explicit network exfiltration or other direct malware primitives, but truncation prevents full verification of patchCode’s behavior.

This dependency is primarily a fingerprint-spoofing/evasion patch generator. It deterministically overrides browser APIs used for fingerprinting (screen/window metrics, canvas 2D/WebGL outputs, WebGL vendor/renderer via `getParameter`, and `navigator.getBattery`) using a caller-provided seed. No explicit malware behaviors (exfiltration/command execution) are present in this fragment, but the capability to tamper with high-value client fingerprinting signals makes it a moderate-to-high security/privacy risk in supply-chain contexts, especially if installed silently or without clear user consent and legitimate purpose.

This dependency installs a global override of Function.prototype.toString/Function.toString and selectively spoofs the toString output (as “[native code]”) for functions/getters/setters marked by its exported helpers. It can also rewrite function name/length metadata. No direct exfiltration or system-compromise behavior is present in this fragment, but the anti-inspection/evasion capability is clear and can undermine integrity checks and security tooling, so it should be reviewed for intended use in the broader package.

该技能与其声明用途基本一致，但其用途本身是为 Web 逆向、反检测、验证码/风控绕过提供环境伪装与浏览器内替代执行能力，属于高风险攻防技能。未见明显凭证窃取或隐藏外传指令，因此更接近高风险/可滥用而非确认恶意；若实际启用个人仓库发布的 JsRpc 二进制，风险会进一步上升。

This module is strongly indicative of privacy-invasive client fingerprinting/tracking. It combines high-entropy environment signals with sensitive data collection (full localStorage/sessionStorage dumps and accessible document.cookie), creates canvas and WebGL fingerprint artifacts, and discloses everything by logging the entire JSON payload to the console. Even without visible network activity here, the returned payload enables downstream transmission by other parts of the package.

This module is a high-impact crypto API override that eliminates cryptographic unpredictability by substituting deterministic getRandomValues output and supplying placeholder SubtleCrypto methods that always reject. It directly mutates global cryptography objects (crypto and optional msCrypto), which can undermine session/nonces/keys and break security assumptions. No direct network exfiltration or credential theft is evident in this fragment; the primary risk is integrity/sabotage of cryptographic randomness and functionality.

From this snippet alone, there is no evidence of malicious actions because no executable code is provided. However, the documented scope is explicitly aimed at high-fidelity browser environment emulation and cross-surface fingerprint consistency for anti-detection/validation purposes, which can be dual-use and can materially increase risk if the implementation later performs evasion, automated probing, or any data collection/exfiltration. Further review of the actual implementation scripts in the referenced directory is required to assess supply-chain malware risk.