AI Security Review
scanned 2h ago · by lpm-firewall-aiImporting the main browser script automatically obscures the host page with a remote iframe. The remote domain can change displayed content without a package update.
Static reason
No blocking static signals were detected.
Trigger
A browser page imports or executes `px.js`.
Impact
Page takeover and potential phishing or malicious remote content delivery in the embedding site's origin context.
Mechanism
Import-time full-screen remote iframe injection
Attack narrative
The package main file is a browser payload that runs immediately, displays a loading mask, and overlays the entire viewport with an iframe to an external, package-unrelated domain. Its bundled maintenance script is designed to rotate that domain, republish, and purge CDN cache, supporting continued remote content delivery. This is concrete page-takeover behavior rather than a benign library function.
Rationale
Source inspection confirms automatic, full-screen delivery of remotely controlled external content on import. No install hook is needed for this malicious runtime behavior.
Evidence
package.jsonpx.jsupdate_px8my.sh
Network endpoints2
mfmz.lbooh.cn/H.html?c=0gjrpurge.jsdelivr.net/npm/px8my/px.js
Decision evidence
public snapshotAI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
- `px.js` executes on browser import and injects a full-screen iframe.
- `px.js` loads `https://mfmz.lbooh.cn/H.html?c=0gjr`, allowing remotely controlled content to replace the page.
- `update_px8my.sh` rotates the embedded domain, publishes the package, and purges the CDN cache.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- No source reads local files, environment variables, credentials, or spawns processes at runtime.
Behavioral surface
HighEntropyStringsMinifiedTrivial
Source & flagged code
1 flagged · loading sourceupdate_px8my.shView file
•path = update_px8my.sh
kind = build_helper
sizeBytes = 1400
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
update_px8my.shView on unpkgFindings
1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings