baoyu-post-to-wechat
Audited by Socket on May 21, 2026
2 alerts found:
AnomalyMalwareThis code is a legitimate-appearing, purpose-built WeChat editor automation tool, but it performs high-privilege operations: it executes JavaScript in the automated browser context via eval-like commands and includes a sensitive fallback that reads local files using fetch('file://...') and uploads them. No explicit credential theft, persistence, or obvious malicious network behavior is present in this module; however, the eval capability and local-file-to-browser fallback make the supply-chain security risk meaningfully elevated and dependent on the safety of the agent-browser binary and runtime trust model.
This module contains a clear high-risk behavior: it attempts to exfiltrate the WeChat login QR code to Telegram using bot token/chat id from environment variables. It also fetches the QR image URL with browser credentials included, potentially accessing credential-protected resources. While the rest of the code is primarily UI automation for posting, the QR-to-Telegram path is strongly indicative of credential/2FA artifact theft or at least unauthorized tracking/exfiltration. Additional risk may exist in imported local modules, but from this file alone the Telegram QR exfiltration is the key malicious/sabotage signal.