AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package is an obfuscated bulk email/red-team tool with contact extraction, OAuth token storage, webmail automation, and link-wrapping capabilities. The highest risk is user-invoked phishing/spam and mailbox contact harvesting rather than silent npm install malware.
Decision evidence
public snapshot- package.json exposes postinstall and bin .ad/x0.js for an obfuscated bulk email tool.
- .ad/x0.js implements auth, extract, web, and DKIM-related commands with SMTP/IMAP/OAuth handling.
- .ad/x12.js requests Microsoft/Google OAuth scopes for Mail.Read, Contacts.Read, People.Read, and offline_access, then saves tokens to smtps.txt.
- .ad/x12.js extracts contacts from Microsoft Graph and IMAP inbox/sent folders.
- src/web-panel/ws.js injects a webmail panel that fills recipients, subject/body, and clicks Send in Gmail/Outlook/Yahoo.
- .ad/x10.js wraps HTML links through redirectors and references interact.sh patterns.
- scripts/postinstall.js only creates a Windows nolimit.cmd shim and exits on non-Windows.
- No install-time credential harvesting or exfiltration found in inspected lifecycle script.
- Network endpoints are tied to license/OAuth/DNS or user-invoked mail/contacts workflows, not hidden install-time C2.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg