AI Security Review
scanned 12h ago · by lpm-firewall-aiPackage is a bulk email/SMS and webmail automation tool with an obfuscated CLI entrypoint. It can automate message delivery and extract contacts from configured mail accounts, but inspected evidence does not prove unconsented exfiltration or install-time malware beyond package shim creation.
Decision evidence
public snapshot- package.json runs postinstall and exposes obfuscated .ad/x0.js as main/bin
- scripts/postinstall.js writes a Windows global nolimit.cmd shim at install time
- src/web-panel/ws.js injects a panel into webmail pages and automates Gmail/Outlook/Yahoo compose/send clicks
- templates/ and phonebook/ contain bulk email/SMS configs, sender lists, SMTP creds placeholders, and message templates
- .ad/x0.js is heavily obfuscated and contains bulk SMS/email, OAuth token storage, contact extraction, and DKIM tooling
- postinstall is platform-gated to win32 and only creates a package-owned bin shim
- No confirmed credential exfiltration or attacker-controlled dropper endpoint found in inspected readable source
- web-panel sending is triggered by the panel Send button
- Credentials/tokens in templates are placeholders or user-supplied operational config
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg