registry  /  px8my  /  1.0.50

px8my@1.0.50

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing or embedding the main browser script immediately overlays the host page with a full-screen remote iframe. The remote page can be changed after publication, making this package a runtime remote-content carrier.

Static reason
No blocking static signals were detected.
Trigger
Loading or importing `px.js` in a browser context.
Impact
Hijacks the rendered page and delegates displayed content to an external host.
Mechanism
Immediate full-screen remote iframe injection.
Attack narrative
When `px.js` is evaluated in a browser, it waits for DOM readiness, displays a loading mask, then inserts a highest-z-index full-viewport iframe pointed at an external URL. This replaces the host application's visible interface with remotely controlled content. The package does not need a lifecycle hook because the behavior occurs directly on runtime import.
Rationale
The package's sole runtime entrypoint is an unsolicited full-screen remote-content loader, not a normal library interface. Although it lacks install-time behavior and local harvesting, the concrete browser takeover and remotely mutable payload warrant blocking.
Evidence
package.jsonpx.jsupdate_px8my.sh
Network endpoints1
mfmz.haofeikeji.cn/H.html?c=0gjr

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `px.js` runs immediately when loaded in a browser.
  • `px.js` creates a fixed full-screen iframe over the host page.
  • `px.js` selects and loads `https://mfmz.haofeikeji.cn/H.html?c=0gjr`.
  • The remote iframe content is publisher-controlled and can change without a package update.
  • `package.json` exposes `px.js` as the package main entrypoint.
Evidence against
  • `package.json` contains no preinstall, install, or postinstall hook.
  • No credential, environment, filesystem, or child-process access appears in `px.js`.
  • `update_px8my.sh` is not referenced by package lifecycle scripts or entrypoints.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.50 KB of source

Source & flagged code

1 flagged · loading source
update_px8my.shView file
path = update_px8my.sh kind = build_helper sizeBytes = 1400 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

update_px8my.shView on unpkg

Findings

1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings