AI Security Review
scanned 4d ago · by lpm-firewall-aiThe package is an obfuscated bulk email/SMS and webmail automation tool with phishing/spoofing support. No install-time payload or hidden credential exfiltration was confirmed by source inspection.
Decision evidence
public snapshot- package.json exposes obfuscated main/bin .ad/x0.js and ships many obfuscated .ad modules.
- src/web-panel/ws.js injects a panel into Gmail/Outlook/Yahoo webmail, fills recipients/subject/body, and clicks Send in a loop.
- .ad/web-command.js builds a Chrome extension in the user's home directory and uses a local WebSocket server to inject panelCode/config into active tabs.
- .ad/x11.js contains sender-domain vulnerability scoring with attackRecommendation values, indicating phishing/spoofing optimization.
- Package includes phonebook/templates for targets, SMTPs, senders, subjects, and carrier SMS gateways.
- scripts/postinstall.js only creates a Windows nolimit.cmd shim and exits on non-Windows; no credential harvesting or exfiltration found there.
- The observed risky send/injection behavior appears user-invoked through CLI/web commands, not automatic at install or import time.
- Network use is mostly aligned with an email/SMS sending tool rather than hidden exfiltration.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg