AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package is a user-invoked bulk email/SMS and webmail automation toolkit with proxying, sender rotation, DKIM, HTML fingerprint evasion, and Chrome extension injection. This is dangerous dual-use/spam-enabling capability, but not confirmed install-time malware.
Decision evidence
public snapshot- package.json exposes obfuscated CLI entry .ad/x0.js and postinstall lifecycle script.
- templates/functions.txt documents bulk sending, raw SMTP, sender rotation, message-to-image, turbo mode, and DKIM setup.
- templates/socks.txt documents SOCKS proxy rotation and direct port-25 sending via proxy.
- src/web-panel/ws.js injects a panel into webmail pages and programmatically composes/sends Gmail/Outlook/Yahoo messages.
- .ad/web-command.js builds a Chrome extension and localhost WebSocket bridge for webmail injection.
- Obfuscated .ad modules include SMTP/SMS/provider, open-redirect canary, fingerprint-evasion, and contact/org enrichment code.
- scripts/postinstall.js only runs on win32 and writes a nolimit.cmd shim to the npm global prefix.
- No install-time credential harvesting, destructive action, persistence beyond the Windows shim, or exfiltration endpoint was confirmed.
- Network behavior appears tied to user-invoked email/SMS/webmail campaign features rather than automatic import/install execution.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg