AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package is a phishing/spam automation toolkit, not a benign library. Its CLI and injected browser panel automate bulk email/SMS delivery, sender spoofing, DKIM/replay tactics, and webmail DOM sending.
Decision evidence
public snapshot- package.json runs postinstall and exposes obfuscated .ad/x0.js as main/bin
- src/web-panel/ws.js injects a webmail panel that fills recipients/body and clicks Send in Gmail/Outlook/Yahoo
- obfuscated .ad code contains RealReplayAttack, DKIM replay, smtp_smuggling, stealth_mode, direct_mx, and sendMail paths
- templates/config.json and phonebook/config.json collect SMTP/SMS provider credentials and target lists
- scripts/postinstall.js writes a Windows nolimit.cmd shim at install time
- postinstall only runs on win32 and is framed as a CLI shim fix
- No confirmed credential exfiltration endpoint found in inspected source
- Example configs use placeholder credentials
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg