Supply-chain threat intelligence
Risk score
92
Indexed incident for nolimit-x (npm).
nolimit-x ships an entirely obfuscator.io-packed runtime (45 files under.ad/, including the x0.js entrypoint) with no readable source, and devDependencies + the build script confirm the obfuscation is intentional (build: node scripts/obfuscate.js, javascript-obfuscator in devDependencies). The decoded entrypoint exposes a CLI offensive toolkit: a send subcommand for bulk SMS via SMTP-to-carrier email gateways and bulk email; an auth subcommand performing OAuth device-code flows against Microsoft and Google to obtain SMTP + Microsoft Graph credentials; an extract subcommand that reads a victim mailbox's contacts via Graph + IMAP and writes them to disk; a web subcommand that injects a sending panel into a logged-in Chrome webmail tab; a dkim subcommand that generates DKIM keys for arbitrary sender domains; and scan-redirects. README markets it as an "Advanced email sender" with keywords including "red-team" and "smtp". A hardcoded license check (http://api.nolimitent.xyz:4100/api/activate) POSTs hardware ID, license key, hostname, and platform in cleartext when the operator runs license-gated subcommands. main and bin both point at.ad/x0.js, which calls program.parse() at module top level — a consumer that require()s the package will run commander against the consumer's process.argv (no network fires until argv matches a subcommand, but the library/CLI conflation plus pervasive obfuscation make pre-install audit infeasible). The package is a packaged phishing/spam/credential-phishing toolkit dressed as an npm library; installer-side harm is bounded (no auto-exfil at install or import), but the package's purpose is to enable attacks on third parties (mailbox owners, SMS recipients, OAuth account holders), and the obfuscation defeats normal supply-chain audit.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Affected versions
Indicators
Timeline