registry  /  px8my  /  1.0.43

px8my@1.0.43

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Importing the main browser script automatically obscures the host page with a remote iframe. The remote domain can change displayed content without a package update.

Static reason
No blocking static signals were detected.
Trigger
A browser page imports or executes `px.js`.
Impact
Page takeover and potential phishing or malicious remote content delivery in the embedding site's origin context.
Mechanism
Import-time full-screen remote iframe injection
Attack narrative
The package main file is a browser payload that runs immediately, displays a loading mask, and overlays the entire viewport with an iframe to an external, package-unrelated domain. Its bundled maintenance script is designed to rotate that domain, republish, and purge CDN cache, supporting continued remote content delivery. This is concrete page-takeover behavior rather than a benign library function.
Rationale
Source inspection confirms automatic, full-screen delivery of remotely controlled external content on import. No install hook is needed for this malicious runtime behavior.
Evidence
package.jsonpx.jsupdate_px8my.sh
Network endpoints2
mfmz.lbooh.cn/H.html?c=0gjrpurge.jsdelivr.net/npm/px8my/px.js

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `px.js` executes on browser import and injects a full-screen iframe.
  • `px.js` loads `https://mfmz.lbooh.cn/H.html?c=0gjr`, allowing remotely controlled content to replace the page.
  • `update_px8my.sh` rotates the embedded domain, publishes the package, and purges the CDN cache.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • No source reads local files, environment variables, credentials, or spawns processes at runtime.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.49 KB of source

Source & flagged code

1 flagged · loading source
update_px8my.shView file
path = update_px8my.sh kind = build_helper sizeBytes = 1400 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

update_px8my.shView on unpkg

Findings

1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings