AI Security Review
scanned 4h ago · by lpm-firewall-aiThe package is a browser runtime remote-content loader. When included on a page, it takes over the viewport with an iframe sourced from an external domain.
Static reason
No blocking static signals were detected.
Trigger
Browser import or script inclusion of main px.js
Impact
Consumer pages can be visually replaced by externally controlled content, enabling phishing or arbitrary remote payload display in the page viewport.
Mechanism
fullscreen remote iframe overlay
Rationale
Direct source inspection shows no install-time compromise, but the main entrypoint is a deliberate full-page remote iframe overlay with a domain-rotation publish helper. That is concrete runtime attack surface for externally controlled content rather than benign library behavior. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpx.jsupdate_px8my.sh/root/npm/px/px.js/root/npm/px/package.json
Network endpoints2
mfmz.jwnrri.cn/H.html?c=0gjrpurge.jsdelivr.net/npm/px8my/px.js
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Malware with medium false-positive risk.
Evidence for warning
- px.js runs on browser load and creates a fixed full-viewport iframe above page content.
- px.js sets iframe.src to https://mfmz.jwnrri.cn/H.html?c=0gjr.
- px.js also adds a loading mask and changes document/body styles to hide normal page overflow.
- update_px8my.sh is a publisher helper that rotates the mfmz.* domain and purges jsDelivr for px8my/px.js.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- No Node child_process, filesystem harvesting, credential collection, or AI-agent control-surface writes found.
- Only package files present are package.json, px.js, and update_px8my.sh.
Behavioral surface
HighEntropyStringsMinifiedTrivial
Source & flagged code
1 flagged · loading sourceupdate_px8my.shView file
•path = update_px8my.sh
kind = build_helper
sizeBytes = 1400
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
update_px8my.shView on unpkgFindings
1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings