registry  /  px8my  /  1.0.52

px8my@1.0.52

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the package in a browser executes code that replaces the visible page with remote iframe content. The included publisher helper supports changing that remote destination across releases.

Static reason
No blocking static signals were detected.
Trigger
Browser-side evaluation/import of `px.js`.
Impact
A consuming application page can be obscured and controlled visually by an external, mutable site.
Mechanism
Full-screen remote iframe injection with publisher-managed domain rotation.
Attack narrative
The declared main file immediately manipulates the DOM, shows a loading mask, and loads an externally hosted page into a full-viewport iframe above all application content. The package offers no legitimate module API. Its bundled helper is explicitly designed to replace the embedded domain, increment the version, publish the package, and purge CDN cache, enabling rapid rotation of the remotely controlled payload.
Rationale
Source inspection confirms a concrete remote-content takeover on import, not merely a shell helper or scanner heuristic. This is a staged payload carrier whose destination can be rotated by the publisher.
Evidence
px.jsupdate_px8my.shpackage.json
Network endpoints2
mfmz.gszfgt.cn/H.html?c=0gjrpurge.jsdelivr.net/npm/px8my/px.js

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `px.js` runs immediately on module evaluation.
  • `px.js` overlays the entire page with a high-z-index iframe.
  • `px.js` selects and loads `https://mfmz.gszfgt.cn/H.html?c=0gjr`.
  • `update_px8my.sh` rotates the embedded domain, publishes, and purges CDN cache.
Evidence against
  • `package.json` contains no npm lifecycle hooks.
  • No credential harvesting, shell execution, or local file access appears in `px.js`.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.50 KB of source

Source & flagged code

1 flagged · loading source
update_px8my.shView file
path = update_px8my.sh kind = build_helper sizeBytes = 1400 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

update_px8my.shView on unpkg

Findings

1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings