AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package is a high-risk bulk email and webmail automation toolkit with contact extraction capability. No confirmed install-time malware or unconsented exfiltration was found, but the runtime feature set is dangerous dual-use.
Decision evidence
public snapshot- package.json exposes CLI .ad/x0.js and postinstall hook.
- src/web-panel/ws.js injects a webmail panel that fills Gmail/Outlook/Yahoo compose fields and clicks Send for target lists.
- .ad/x0.js is heavily obfuscated and implements mass email, OAuth/SMTP auth, contact extraction, sorting, DKIM generation, and local credential/token storage.
- templates/functions.txt documents send, auth, contacts, validate, sort, and DKIM commands for campaign operation.
- postinstall writes a Windows nolimit.cmd shim during install.
- postinstall.js only runs on win32 and exits on other platforms; it writes a CLI shim, not a downloader or credential harvester.
- Network use appears aligned with email/OAuth/DNS functionality rather than arbitrary exfiltration endpoints.
- Observed credential/contact handling is user-invoked via CLI commands and local files, not install-time theft.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg