AI Security Review
scanned 1d ago · by lpm-firewall-aiThe package is a user-invoked bulk email/red-team tool with webmail automation, OAuth mail access, contact extraction, evasion, and template generation. This is dangerous dual-use capability, but the inspected lifecycle hooks do not establish unconsented malware behavior.
Decision evidence
public snapshot- package.json declares preinstall/postinstall lifecycle hooks and obfuscated main/bin .ad/x0.js
- src/web-panel/ws.js injects a webmail panel that fills and clicks Send in Gmail/Outlook/Yahoo for target lists
- Obfuscated .ad/x0.js exposes commands for auth, contacts extraction, WebSend injection, DKIM generation, and bulk email workflows
- .ad/x12.js performs OAuth device-code auth and reads Microsoft/Google contacts/mail recipients via Graph/People/IMAP
- Templates/configs include SMTP credentials, target lists, QR/link placeholders, and attachment/phishing-style message generation
- preinstall.js only prompts for EULA and writes ~/.nolimit/eula.json after interactive acceptance
- postinstall.js is Windows-only and creates a nolimit.cmd shim for this package bin, not a foreign control surface
- No install-time credential harvesting or attacker exfiltration endpoint was confirmed
- Network activity observed is largely user-invoked OAuth, mail, DNS/whois, and webmail automation functionality
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg