registry  /  nolimit-agent  /  1.0.317

nolimit-agent@1.0.317

Advanced email sender

AI Security Review

scanned 4d ago · by lpm-firewall-ai

The package is an obfuscated bulk email/SMS and webmail automation tool with phishing/spoofing support. No install-time payload or hidden credential exfiltration was confirmed by source inspection.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
User runs the nolimit CLI or web command after install.
Impact
Can automate sending messages through SMTP/API providers or an active webmail session and score targets for spoofing weaknesses.
Mechanism
bulk messaging plus browser-extension webmail send automation
Attack narrative
When invoked, nolimit-agent can load target lists and templates, send via SMTP/API providers, or create a local Chrome extension that injects JavaScript into webmail tabs. The injected panel fills recipient, subject, and body fields and clicks Send for each target. Supporting modules assess sender/domain weakness and carrier gateways, making it high-risk abuse tooling, but the inspected source does not show unconsented install-time execution beyond a Windows shim or hidden exfiltration.
Rationale
Source inspection confirms dangerous bulk messaging and webmail automation capabilities with heavy obfuscation, but activation is user-invoked and no concrete install-time malware or secret exfiltration was found. Treat as suspicious/dangerous capability rather than a publish-blocking malicious package.
Evidence
package.jsonscripts/postinstall.js.ad/x0.js.ad/web-command.js.ad/x11.jssrc/web-panel/ws.jstemplates/config.jsonphonebook/smtp-gateways/att.txtscripts/postinstall.js writes nolimit.cmd on Windows global npm prefix.ad/web-command.js writes nolimit-ext files under the user's home directory.ad/x0.js reads/writes working-directory campaign files such as emails.txt/messages.html/sender-intelligence.json
Network endpoints8
mail.google.comoutlook.live.comoutlook.office.commail.yahoo.commail.zoho.commail.proton.meapi.whois.vu/?q=www.google.com/search?q=

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json exposes obfuscated main/bin .ad/x0.js and ships many obfuscated .ad modules.
  • src/web-panel/ws.js injects a panel into Gmail/Outlook/Yahoo webmail, fills recipients/subject/body, and clicks Send in a loop.
  • .ad/web-command.js builds a Chrome extension in the user's home directory and uses a local WebSocket server to inject panelCode/config into active tabs.
  • .ad/x11.js contains sender-domain vulnerability scoring with attackRecommendation values, indicating phishing/spoofing optimization.
  • Package includes phonebook/templates for targets, SMTPs, senders, subjects, and carrier SMS gateways.
Evidence against
  • scripts/postinstall.js only creates a Windows nolimit.cmd shim and exits on non-Windows; no credential harvesting or exfiltration found there.
  • The observed risky send/injection behavior appears user-invoked through CLI/web commands, not automatic at install or import time.
  • Network use is mostly aligned with an email/SMS sending tool rather than hidden exfiltration.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 19.0 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/web-panel/ws.jsView file
269contains invisible/control Unicode U+202A (left-to-right embedding) const sendBtn = document.querySelector('[data-tooltip="Send <U+202A>(Ctrl-Enter)<U+202C>"]') ||
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/web-panel/ws.jsView on unpkg · L269
scripts/postinstall.jsView file
matchType = normalized_sha256 matchedPackage = nolimit-agent@1.0.315 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.315 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/postinstall.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = cbd26ae1248ea37f signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = nolimit-agent@1.0.315 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.315 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/postinstall.jsView on unpkg

Findings

1 Critical3 High2 Medium4 Low
CriticalTrojan Source Unicodesrc/web-panel/ws.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/postinstall.js
HighKnown Malware Source Fingerprint Signaturescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings