AI Security Review
scanned 4d ago · by lpm-firewall-aiDangerous dual-use bulk email/phishing automation is present, including webmail DOM injection, SMTP/OAuth sending, contact extraction, and SMS gateway targeting. No confirmed hidden install-time exfiltration was found.
Decision evidence
public snapshot- main/bin .ad/x0.js is heavily obfuscated and implements a bulk email/red-team CLI
- src/web-panel/ws.js injects a webmail panel that fills and clicks Send in Gmail/Outlook/Yahoo
- .ad/web-command.js generates a Chrome extension with <all_urls> and scripting permission, then injects ws.js into active tabs
- .ad/x12.js reads OAuth/IMAP mailboxes and extracts contact addresses to local files
- .ad/x0.js/.ad/x1.js include DKIM/SPF analysis, replay/direct spoof recommendations, SMTP sending, and contact extraction workflows
- package ships phishing-like templates and phonebook SMS gateway tooling
- scripts/postinstall.js only runs on Windows to create nolimit.cmd for .ad/x0.js and does not harvest or exfiltrate
- No install-time network call or import-time payload execution found beyond the postinstall shim
- Observed contact extraction and webmail sending are CLI/user-invoked features, not hidden lifecycle behavior
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg