nolimit-x @1.0.274

Summary

nolimit-x ships an entirely obfuscator.io-packed runtime (45 files under.ad/, including the x0.js entrypoint) with no readable source, and devDependencies + the build script confirm the obfuscation is intentional ( build: node scripts/obfuscate.js , javascript-obfuscator in devDependencies). The decoded entrypoint exposes a CLI offensive toolkit: a send subcommand for bulk SMS via SMTP-to-carrier email gateways and bulk email; an auth subcommand performing OAuth device-code flows against Microsoft and Google to obtain SMTP + Microsoft Graph credentials; an extract subcommand that reads a victim mailbox's contacts via Graph + IMAP and writes them to disk; a web subcommand that injects a sending panel into a logged-in Chrome webmail tab; a dkim subcommand that generates DKIM keys for arbitrary sender domains; and scan-redirects . README markets it as an "Advanced email sender" with keywords including "red-team" and "smtp". A hardcoded license check ( http://api.nolimitent.xyz:4100/api/activate ) POSTs hardware ID, license key, hostname, and platform in cleartext when the operator runs license-gated subcommands. main and bin both point at.ad/x0.js, which calls program.parse() at module top level — a consumer that require()s the package will run commander against the consumer's process.argv (no network fires until argv matches a subcommand, but the library/CLI conflation plus pervasive obfuscation make pre-install audit infeasible). The package is a packaged phishing/spam/credential-phishing toolkit dressed as an npm library; installer-side harm is bounded (no auto-exfil at install or import), but the package's purpose is to enable attacks on third parties (mailbox owners, SMS recipients, OAuth account holders), and the obfuscation defeats normal supply-chain audit.

Source: amazon-inspector (92a244ab5171edadc3082bc97d5b0834c4cfe98f2e5b6437503a30a7c1ac38aa)