registry  /  px8my  /  1.0.48

px8my@1.0.48

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Importing `px.js` in a browser replaces the visible page with a fullscreen remote iframe after a loading mask. The package author can rotate the remote domain and republish it with `update_px8my.sh`.

Static reason
No blocking static signals were detected.
Trigger
Browser execution or bundling/import of the package entrypoint `px.js`.
Impact
An untrusted endpoint controls the user-visible page and can present phishing or other arbitrary web content under the host page.
Mechanism
Immediate fullscreen remote-content iframe loader.
Attack narrative
The package entrypoint executes immediately in a browser, displays a loading overlay, and then embeds an externally controlled page in a viewport-sized iframe with maximum z-index. This hides the integrating application and gives the remote host full control of visible content. The included publishing helper is designed to rotate the embedded domain, increment the package version, publish it, and purge CDN cache, enabling rapid replacement of the payload destination.
Rationale
This is a concrete remote payload delivery mechanism disguised as a package entrypoint, not a benign library behavior. No install hook is needed for the attack to activate when consumers load the package in a browser.
Evidence
package.jsonpx.jsupdate_px8my.sh
Network endpoints2
mfmz.tjyhwy3.cn/H.html?c=0gjrpurge.jsdelivr.net/npm/px8my/px.js

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `px.js` immediately runs browser DOM code on import.
  • `px.js` creates a fullscreen, topmost iframe over the page.
  • `px.js` selects and loads `https://mfmz.tjyhwy3.cn/H.html?c=0gjr`.
  • The remote iframe can change content without a package update.
  • `update_px8my.sh` automates replacing the embedded domain and publishing.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • No credential harvesting, filesystem access, or child-process use appears in `px.js`.
  • The shell helper is not invoked by npm lifecycle scripts.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.50 KB of source

Source & flagged code

1 flagged · loading source
update_px8my.shView file
path = update_px8my.sh kind = build_helper sizeBytes = 1400 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

update_px8my.shView on unpkg

Findings

1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings