OSV-MAL-2026-4621

Malicious code in nolimit-x (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (92a244ab5171edadc3082bc97d5b0834c4cfe98f2e5b6437503a30a7c1ac38aa) nolimit-x ships an entirely obfuscator.io-packed runtime (45 files under.ad/, including the x0.js entrypoint) with no readable source, and devDependencies + the build script confirm the obfuscation is intentional (`build: node scripts/obfuscate.js`, `javascript-obfuscator` in devDependencies). The decoded entrypoint exposes a CLI offensive toolkit: a `send` subcommand for bulk SMS via SMTP-to-carrier email gateways and bulk email; an `auth` subcommand performing OAuth device-code flows against Microsoft and Google to obtain SMTP + Microsoft Graph credentials; an `extract` subcommand that reads a victim mailbox's contacts via Graph + IMAP and writes them to disk; a `web` subcommand that injects a sending panel into a logged-in Chrome webmail tab; a `dkim` subcommand that generates DKIM keys for arbitrary sender domains; and `scan-redirects`. README markets it as an "Advanced email sender" with keywords including "red-team" and "smtp". A hardcoded license check (`http://api.nolimitent.xyz:4100/api/activate`) POSTs hardware ID, license key, hostname, and platform in cleartext when the operator runs license-gated subcommands. main and bin both point at.ad/x0.js, which calls program.parse() at module top level — a consumer that require()s the package will run commander against the consumer's process.argv (no network fires until argv matches a subcommand, but the library/CLI conflation plus pervasive obfuscation make pre-install audit infeasible). The package is a packaged phishing/spam/credential-phishing toolkit dressed as an npm library; installer-side harm is bounded (no auto-exfil at install or import), but the package's purpose is to enable attacks on third parties (mailbox owners, SMS recipients, OAuth account holders), and the obfuscation defeats normal supply-chain audit.