registry  /  nolimit-agent  /  1.0.331

nolimit-agent@1.0.331

Advanced email sender

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install runs lifecycle hooks; user later runs nolimit CLI commands or injects src/web-panel/ws.js via the extension workflow.
Impact
Can facilitate high-volume email/SMS sending, webmail automation, DKIM/sender manipulation, and attachment/link evasion, but no confirmed unconsented install-time exfiltration or persistence was established.
Mechanism
obfuscated bulk mailer/webmail automation with phishing-delivery evasion features
Policy narrative
Install-time code shows an interactive EULA record and Windows command shim creation, not payload installation. The runtime package is still high-risk: the obfuscated CLI and templates implement SMTP/SMS campaigns, contact handling, DKIM setup, webmail compose/send automation, and documented URL/HTML/SVG evasion patterns useful for phishing or spam operations.
Rationale
Static inspection confirms dangerous agent-facing spam/phishing capability and obfuscation, but not concrete malware behavior such as credential theft, install-time remote execution, persistence, destructive action, or foreign AI-agent control hijack. Downgrade to warn rather than publish block.
Evidence
package.jsonscripts/preinstall.jsscripts/postinstall.js.ad/x0.jssrc/web-panel/ws.jstemplates/functions.txttemplates/config.jsonphonebook/config.json~/.nolimit/eula.json<npm-global-prefix>/nolimit.cmddkim_keys/<domain>.pemdkim_keys/.dkim-state.jsonconfig.json
Network endpoints1
dns.google/resolve?name=

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines preinstall/postinstall hooks and obfuscated executable main/bin .ad/x0.js.
  • scripts/preinstall.js prompts for a red-team EULA and writes ~/.nolimit/eula.json only after interactive acceptance.
  • scripts/postinstall.js runs only on Windows, calls npm config get prefix, and creates a nolimit.cmd shim to .ad/x0.js.
  • .ad/x0.js is a heavily obfuscated CLI using nodemailer, SMTP/SMS flows, auth/license checks, DKIM key generation, and DNS lookup.
  • src/web-panel/ws.js injects a webmail panel and automates Gmail/Outlook/Yahoo compose/send actions for target lists.
  • templates/functions.txt documents scanner-evasion features including obfuscated HTML redirects, .url attachments, SVG xlink links, thread prefixes, and generated service-style sender addresses.
Evidence against
  • No install-time remote payload download or credential/env harvesting found in lifecycle scripts.
  • No lifecycle writes to Claude/Codex/Cursor/MCP or other AI-agent control surfaces.
  • No shell startup, VCS hook, OS autostart, or detached daemon persistence found.
  • Network endpoint observed in source is DNS lookup for the user-invoked dkim command, not install-time exfiltration.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 22.5 KB of source

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node scripts/preinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/web-panel/ws.jsView file
269contains invisible/control Unicode U+202A (left-to-right embedding) const sendBtn = document.querySelector('[data-tooltip="Send <U+202A>(Ctrl-Enter)<U+202C>"]') ||
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/web-panel/ws.jsView on unpkg · L269
scripts/postinstall.jsView file
matchType = normalized_sha256 matchedPackage = nolimit-agent@1.0.327 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.327 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/postinstall.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 97ad344d2ec43431 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = nolimit-agent@1.0.327 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.327 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/postinstall.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalTrojan Source Unicodesrc/web-panel/ws.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/postinstall.js
HighKnown Malware Source Fingerprint Signaturescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings