AI Security Review
scanned 2h ago · by lpm-firewall-aiImporting or embedding the declared `px.js` browser entry immediately overlays the page and loads operator-controlled remote content. The maintained update helper enables rotating that remote destination through new npm releases.
Static reason
No blocking static signals were detected.
Trigger
Browser-side execution of `px.js` after package import or CDN embedding.
Impact
Remote operators can replace the host page UI and serve arbitrary phishing or malicious web content.
Mechanism
Full-screen iframe remote payload loader with domain rotation.
Attack narrative
The package advertises `px.js` as its main entry. In a browser, that file immediately displays a loading overlay, locks the viewport, and inserts a topmost iframe pointed at an external domain. The companion publisher script is explicitly built to replace that domain and publish a new version, allowing the operator to rotate remote payload infrastructure. This supports deceptive page takeover and unreviewed remote content delivery.
Rationale
This is a concrete browser-side remote payload chain rather than a benign utility: it automatically obscures the host UI and hands control to an external page. No lifecycle hook is needed for the malicious behavior to activate when the browser entry is used.
Evidence
package.jsonpx.jsupdate_px8my.sh
Network endpoints2
mfmz.85qbv.cn/H.html?c=0gjrpurge.jsdelivr.net/npm/px8my/px.js
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `px.js` runs immediately on browser script load and creates a full-screen iframe.
- `px.js` fetches remote active content from `https://mfmz.85qbv.cn/H.html?c=0gjr`.
- `px.js` disguises the remote frame with a Chinese loading mask and changes the page title.
- `update_px8my.sh` replaces the embedded domain, increments the package version, publishes, and purges CDN cache.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- No credential harvesting, local-file access, or child-process execution appears in the shipped browser payload.
Behavioral surface
HighEntropyStringsMinifiedTrivial
Source & flagged code
1 flagged · loading sourceupdate_px8my.shView file
•path = update_px8my.sh
kind = build_helper
sizeBytes = 1400
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
update_px8my.shView on unpkgFindings
1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings