AI Security Review
scanned 3h ago · by lpm-firewall-aiImporting or embedding the main browser script immediately overlays the host page with a full-screen remote iframe. The remote page can be changed after publication, making this package a runtime remote-content carrier.
Static reason
No blocking static signals were detected.
Trigger
Loading or importing `px.js` in a browser context.
Impact
Hijacks the rendered page and delegates displayed content to an external host.
Mechanism
Immediate full-screen remote iframe injection.
Attack narrative
When `px.js` is evaluated in a browser, it waits for DOM readiness, displays a loading mask, then inserts a highest-z-index full-viewport iframe pointed at an external URL. This replaces the host application's visible interface with remotely controlled content. The package does not need a lifecycle hook because the behavior occurs directly on runtime import.
Rationale
The package's sole runtime entrypoint is an unsolicited full-screen remote-content loader, not a normal library interface. Although it lacks install-time behavior and local harvesting, the concrete browser takeover and remotely mutable payload warrant blocking.
Evidence
package.jsonpx.jsupdate_px8my.sh
Network endpoints1
mfmz.haofeikeji.cn/H.html?c=0gjr
Decision evidence
public snapshotAI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
- `px.js` runs immediately when loaded in a browser.
- `px.js` creates a fixed full-screen iframe over the host page.
- `px.js` selects and loads `https://mfmz.haofeikeji.cn/H.html?c=0gjr`.
- The remote iframe content is publisher-controlled and can change without a package update.
- `package.json` exposes `px.js` as the package main entrypoint.
Evidence against
- `package.json` contains no preinstall, install, or postinstall hook.
- No credential, environment, filesystem, or child-process access appears in `px.js`.
- `update_px8my.sh` is not referenced by package lifecycle scripts or entrypoints.
Behavioral surface
HighEntropyStringsMinifiedTrivial
Source & flagged code
1 flagged · loading sourceupdate_px8my.shView file
•path = update_px8my.sh
kind = build_helper
sizeBytes = 1400
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
update_px8my.shView on unpkgFindings
1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings