AI Security Review
scanned 4d ago · by lpm-firewall-aiThe package is a heavily obfuscated bulk email/SMS and webmail automation toolkit with phishing-adjacent capabilities. Risk is user-invoked dangerous capability rather than confirmed covert malware behavior.
Decision evidence
public snapshot- package.json exposes obfuscated CLI main/bin .ad/x0.js and includes install-time postinstall
- src/web-panel/ws.js injects a panel into Gmail/Outlook/Yahoo and auto-fills/sends messages to target lists
- .ad/web-command.js builds a Chrome extension with <all_urls>, scripting/tabs permissions and injects panelCode into webmail tabs
- templates/config.json supports SMTP credentials, sender/subject rotation, direct MX, QR/link and attachment generation
- Obfuscated .ad code includes open-redirect crawling and bulk email/contact workflows
- scripts/postinstall.js only runs on Windows to create a nolimit.cmd shim and does not fetch payloads or harvest data
- Network use appears aligned to license checks, DNS/OSINT lookups, SMTP/SMS/webmail functions rather than covert exfiltration
- No evidence found of import-time execution outside CLI/lifecycle shim
- No credential harvesting from arbitrary local files or environment variables observed
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg