registry  /  nolimit-agent  /  1.0.315

nolimit-agent@1.0.315

Advanced email sender

AI Security Review

scanned 4d ago · by lpm-firewall-ai

This package is a bulk email/phishing campaign toolkit with built-in scanner-evasion attachment formats and webmail automation. The confirmed risk is user-invoked abuse capability, plus install-time shim creation on Windows.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install on Windows for shim creation; user runs nolimit CLI or injects src/web-panel/ws.js to send campaigns
Impact
enables credential-phishing or spam campaigns that hide destination links from email security scanners
Mechanism
bulk SMTP/webmail sending with phishing-link obfuscation and gateway-evasion attachments
Attack narrative
After installation, Windows systems run scripts/postinstall.js to create a CLI shim. When the user invokes the nolimit CLI or injects the web panel, the package supports loading SMTP/OAuth credentials and target lists, sending bulk email through SMTP/direct MX or webmail DOM automation, generating DKIM material, and producing attachments that hide links from gateway scanners via base64-reassembled redirects, .url files, and SVG xlink wrapping.
Rationale
Static source inspection shows a purpose-built phishing/spam delivery toolkit with explicit security-gateway evasion, not merely a benign mailer. Although there is no confirmed automatic credential exfiltration at install/import time, the package's concrete abuse capability warrants blocking.
Evidence
package.jsonscripts/postinstall.js.ad/x0.js.ad/xu.jssrc/web-panel/ws.jstemplates/functions.txttemplates/config.jsonphonebook/config.jsonnolimit.cmddkim_keys/.dkim-state.jsondkim_keys/<domain>.pemextracted/sorted/
Network endpoints5
index.commoncrawl.orgweb.archive.orgotx.alienvault.comwww.google.com/favicon.icooutlook.live.com/favicon.ico

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json describes an "Advanced email sender" with red-team/smtp keywords and exposes obfuscated CLI entrypoint .ad/x0.js.
  • templates/functions.txt documents bulk campaign sending, OAuth SMTP tokens, contact extraction, DKIM key generation, direct MX, raw SMTP, and turbo parallel sending.
  • templates/functions.txt explicitly documents gateway-scanner evasion: obfuscated HTML redirects, .url shortcuts, and SVG xlink URL hiding.
  • src/web-panel/ws.js injects a webmail panel into Gmail/Outlook/Yahoo and programmatically composes and clicks Send for target lists.
  • .ad files are heavily obfuscated despite source package distribution, hiding high-risk SMTP/crawler/phishing functionality.
  • scripts/postinstall.js runs at install time and writes a Windows nolimit.cmd shim into the npm global prefix.
Evidence against
  • postinstall.js only runs on win32 and appears limited to creating the declared CLI shim.
  • No evidence found of install-time credential harvesting or immediate exfiltration.
  • Network activity appears tied to user-invoked sender/crawler/favicon features rather than automatic import-time beaconing.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 19.0 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/web-panel/ws.jsView file
269contains invisible/control Unicode U+202A (left-to-right embedding) const sendBtn = document.querySelector('[data-tooltip="Send <U+202A>(Ctrl-Enter)<U+202C>"]') ||
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/web-panel/ws.jsView on unpkg · L269
scripts/postinstall.jsView file
matchType = normalized_sha256 matchedPackage = nolimit-agent@1.0.308 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.308 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/postinstall.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = cbd26ae1248ea37f signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = nolimit-agent@1.0.308 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.308 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/postinstall.jsView on unpkg

Findings

1 Critical3 High2 Medium4 Low
CriticalTrojan Source Unicodesrc/web-panel/ws.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/postinstall.js
HighKnown Malware Source Fingerprint Signaturescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings