AI Security Review
scanned 4d ago · by lpm-firewall-aiThe package is an obfuscated mass-email/phishing automation toolkit with browser webmail injection and contact extraction features. Install-time code only creates a Windows command shim, but runtime commands provide concrete abuse capability.
Decision evidence
public snapshot- package.json exposes obfuscated .ad/x0.js as main/bin and postinstall lifecycle.
- .ad/x0.js implements bulk email/phonebook workflows, OAuth token saving, contacts extraction, DKIM setup, and writes smtps.txt/extracted outputs.
- src/web-panel/ws.js injects a webmail panel into Gmail/Outlook/Yahoo and programmatically composes and clicks Send for target lists.
- .ad/web-command.js creates a Chrome extension under the user's home directory with tabs/scripting/alarms and broad host permissions, then injects the panel code.
- Templates and docs describe phishing-style sender names, OAuth SMTP tokens, inbox/contact extraction, SMTP rotation, SOCKS, and target lists.
- scripts/postinstall.js is Windows-only shim creation, not credential theft by itself.
- Observed high-risk behavior is primarily user-invoked CLI/browser-extension functionality, not automatic install-time exfiltration.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg