registry  /  px8my  /  1.0.51

px8my@1.0.51

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Importing the main browser entrypoint immediately overlays the page with a full-screen iframe. The iframe loads remotely controlled content from an unrelated domain, while the included helper supports rotating that domain and republishing.

Static reason
No blocking static signals were detected.
Trigger
A consumer loads or imports `px.js` in a page with `document`.
Impact
Remote operators can replace the visible application surface with arbitrary third-party web content, enabling deceptive or phishing-style presentation.
Mechanism
Full-screen remote iframe payload loader with publisher-controlled domain rotation.
Attack narrative
The declared main entrypoint runs on load, creates a blocking loading screen, and inserts a full-viewport iframe to an unrelated remote domain. The package therefore acts as an active loader for externally controlled page content rather than providing a package-local library function. Its bundled update helper specifically rotates that domain, publishes a new version, and purges the CDN, supporting continued remote payload rotation.
Rationale
This is concrete import-time deceptive remote-content loading, not an inert helper or package-aligned network use. Although it lacks install hooks and host credential access, the externally controlled full-screen overlay is malicious behavior.
Evidence
package.jsonpx.jsupdate_px8my.sh
Network endpoints2
mfmz.qvsuy.cn/H.html?c=0gjrpurge.jsdelivr.net/npm/px8my/px.js

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `px.js` is the package `main` entrypoint and executes immediately in a browser context.
  • `px.js` creates a maximum-z-index full-screen loading mask and iframe.
  • The iframe loads `https://mfmz.qvsuy.cn/H.html?c=0gjr`, placing remote content over the host page.
  • `update_px8my.sh` automates replacement of the remote domain, version bump, publish, and CDN purge.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No credential harvesting, filesystem access, shell execution, or parent-context data exfiltration appears in `px.js`.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.49 KB of source

Source & flagged code

1 flagged · loading source
update_px8my.shView file
path = update_px8my.sh kind = build_helper sizeBytes = 1400 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

update_px8my.shView on unpkg

Findings

1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings