AI Security Review
scanned 1d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- .ad/x0.js is heavily obfuscated CLI entrypoint and contains bulk email/SMS sending, SMTP credential use, OAuth token storage, contact extraction from Graph/IMAP, DKIM setup, and webmail automation commands.
- src/web-panel/ws.js injects a panel into Gmail/Outlook/Yahoo/Zoho/Proton webmail pages, fills compose fields, and clicks send for configured target lists.
- package.json install hooks run automatically; hooks are not exfiltrative, but postinstall writes a Windows global nolimit.cmd shim and preinstall records EULA acceptance under ~/.nolimit.
- Templates and defaults are mass-mail assets: templates/emails.txt, messages.html, smtps/senders, phonebook numbers, carrier gateways.
- .ad/x0.js and modules write extracted contacts/output folders and credential config files in the working project such as smtps.txt, contacts/, extracted/ and dkim/.
- No lifecycle code found planting Claude/Codex/Cursor/MCP agent control surfaces or foreign AI-agent instructions.
- preinstall.js only prompts an EULA when interactive and writes ~/.nolimit/eula.json; non-TTY exits cleanly.
- postinstall.js only executes on Windows to create a package bin shim for .ad/x0.js, not persistence/autostart.
- Observed risky network use is part of invoked SMTP/SMS/OAuth/DNS/webmail functionality rather than install-time exfiltration.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg