registry  /  nolimit-agent  /  1.0.318

nolimit-agent@1.0.318

Advanced email sender

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package is a phishing/spam automation toolkit, not a benign library. Its CLI and injected browser panel automate bulk email/SMS delivery, sender spoofing, DKIM/replay tactics, and webmail DOM sending.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install on Windows for shim creation; user invoking nolimit or injected webmail panel for sending
Impact
Enables abusive mass messaging, phishing delivery, sender impersonation, and webmail-account misuse.
Mechanism
bulk SMTP/webmail/SMS sender with spoofing and replay capabilities
Attack narrative
Installing the package exposes an obfuscated nolimit CLI. At runtime it reads target lists, SMTP/SMS provider credentials, templates, and sender settings, then sends bulk messages through SMTP/direct MX, SMS providers, or browser-controlled webmail. The bundled web panel directly manipulates Gmail/Outlook/Yahoo compose UIs and clicks Send for each target, while obfuscated modules include DKIM/replay, spoofing, and vulnerability-ranking features.
Rationale
Static source inspection shows the package is purpose-built for mass phishing/spam and sender impersonation, with obfuscated implementation and webmail auto-send behavior. The install hook alone is limited, but the published runtime capability is concretely malicious/abusive.
Evidence
package.jsonscripts/postinstall.js.ad/x0.js.ad/x11.js.ad/sms-providers.jssrc/web-panel/ws.jstemplates/config.jsonphonebook/config.jsonscripts/postinstall.js writes nolimit.cmd
Network endpoints6
smtp.example.commail.google.comoutlook.live.comoutlook.office.commail.yahoo.comwww.google.com/s2/favicons

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall and exposes obfuscated .ad/x0.js as main/bin
  • src/web-panel/ws.js injects a webmail panel that fills recipients/body and clicks Send in Gmail/Outlook/Yahoo
  • obfuscated .ad code contains RealReplayAttack, DKIM replay, smtp_smuggling, stealth_mode, direct_mx, and sendMail paths
  • templates/config.json and phonebook/config.json collect SMTP/SMS provider credentials and target lists
  • scripts/postinstall.js writes a Windows nolimit.cmd shim at install time
Evidence against
  • postinstall only runs on win32 and is framed as a CLI shim fix
  • No confirmed credential exfiltration endpoint found in inspected source
  • Example configs use placeholder credentials
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 19.0 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/web-panel/ws.jsView file
269contains invisible/control Unicode U+202A (left-to-right embedding) const sendBtn = document.querySelector('[data-tooltip="Send <U+202A>(Ctrl-Enter)<U+202C>"]') ||
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/web-panel/ws.jsView on unpkg · L269
scripts/postinstall.jsView file
matchType = normalized_sha256 matchedPackage = nolimit-agent@1.0.315 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.315 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/postinstall.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = cbd26ae1248ea37f signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = nolimit-agent@1.0.315 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.315 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/postinstall.jsView on unpkg

Findings

1 Critical3 High2 Medium4 Low
CriticalTrojan Source Unicodesrc/web-panel/ws.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/postinstall.js
HighKnown Malware Source Fingerprint Signaturescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings