nolimit-xnpm

nolimit-x ships an entirely obfuscator.io-packed runtime (45 files under.ad/, including the x0.js entrypoint) with no readable source, and devDependencies + the build script confirm the obfuscation is intentional (build: node scripts/obfuscate.js, javascript-obfuscator in devDependencies). The decoded entrypoint exposes a CLI offensive toolkit: a send subcommand for bulk SMS via SMTP-to-carrier email gateways and bulk email; an auth subcommand performing OAuth device-code flows against Microsoft and Google to obtain SMTP + Microsoft Graph credentials; an extract subcommand that reads a victim mailbox's contacts via Graph + IMAP and writes them to disk; a web subcommand that injects a sending panel into a logged-in Chrome webmail tab; a dkim subcommand that generates DKIM keys for arbitrary sender domains; and scan-redirects. README markets it as an "Advanced email sender" with keywords including "red-team" and "smtp". A hardcoded license check (http://api.nolimitent.xyz:4100/api/activate) POSTs hardware ID, license key, hostname, and platform in cleartext when the operator runs license-gated subcommands. main and bin both point at.ad/x0.js, which calls program.parse() at module top level — a consumer that require()s the package will run commander against the consumer's process.argv (no network fires until argv matches a subcommand, but the library/CLI conflation plus pervasive obfuscation make pre-install audit infeasible). The package is a packaged phishing/spam/credential-phishing toolkit dressed as an npm library; installer-side harm is bounded (no auto-exfil at install or import), but the package's purpose is to enable attacks on third parties (mailbox owners, SMS recipients, OAuth account holders), and the obfuscation defeats normal supply-chain audit.