registry  /  px8my  /  1.0.40

px8my@1.0.40

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package is a browser runtime remote-content loader. When included on a page, it takes over the viewport with an iframe sourced from an external domain.

Static reason
No blocking static signals were detected.
Trigger
Browser import or script inclusion of main px.js
Impact
Consumer pages can be visually replaced by externally controlled content, enabling phishing or arbitrary remote payload display in the page viewport.
Mechanism
fullscreen remote iframe overlay
Rationale
Direct source inspection shows no install-time compromise, but the main entrypoint is a deliberate full-page remote iframe overlay with a domain-rotation publish helper. That is concrete runtime attack surface for externally controlled content rather than benign library behavior. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpx.jsupdate_px8my.sh/root/npm/px/px.js/root/npm/px/package.json
Network endpoints2
mfmz.jwnrri.cn/H.html?c=0gjrpurge.jsdelivr.net/npm/px8my/px.js

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Malware with medium false-positive risk.
Evidence for warning
  • px.js runs on browser load and creates a fixed full-viewport iframe above page content.
  • px.js sets iframe.src to https://mfmz.jwnrri.cn/H.html?c=0gjr.
  • px.js also adds a loading mask and changes document/body styles to hide normal page overflow.
  • update_px8my.sh is a publisher helper that rotates the mfmz.* domain and purges jsDelivr for px8my/px.js.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • No Node child_process, filesystem harvesting, credential collection, or AI-agent control-surface writes found.
  • Only package files present are package.json, px.js, and update_px8my.sh.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.50 KB of source

Source & flagged code

1 flagged · loading source
update_px8my.shView file
path = update_px8my.sh kind = build_helper sizeBytes = 1400 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

update_px8my.shView on unpkg

Findings

1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings