AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is a heavily obfuscated bulk messaging and webmail automation tool with phishing/spam-adjacent capability. No unconsented install-time compromise or remote payload execution was confirmed.
Decision evidence
public snapshot- package.json defines preinstall/postinstall and obfuscated CLI main .ad/x0.js.
- .ad/x0.js implements bulk SMTP/SMS sending, OAuth SMTP setup, contact extraction, SOCKS/proxy and DKIM tooling.
- src/web-panel/ws.js injects a panel into Gmail/Outlook/Yahoo and clicks Send for target lists.
- Templates include tracking-link placeholders and attachment generators; phonebook includes carrier SMTP gateways.
- scripts/preinstall.js only prompts for EULA and writes ~/.nolimit/eula.json on acceptance.
- scripts/postinstall.js only creates a Windows nolimit.cmd shim and does not download or execute remote payloads.
- No confirmed credential exfiltration to attacker-controlled endpoint found in inspected install hooks or web panel.
- Risky behaviors appear user-invoked CLI/webmail features rather than import-time or install-time compromise.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg