{"id":"MAL-2026-4408","summary":"Malicious code in @nolimit-x/win32-x64 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (343787b335da015be56f49d118534c54bf81abab9e53b40bec0114d23bcc95c7)\nPackage ships a single 8.1 MB Windows PE (`nolimit-core.exe`) as its `main` entry with only the description 'nolimit-x native binary for Windows x64' — no README, no source, no documentation of what the binary does. String analysis of the binary reveals SMTP bulk-mailer / SMTP-credential-checker function-name fingerprints (`send_emails`, `prime_smtps`, `smtp_configs`, `shared_body`, `first_chunk`, `chunk_offset`, `successful`, `all_dead`, `\u003c/script\u003e`) consistent with abuse tooling that iterates SMTP credential lists and sends bulk mail. Reversed-string obfuscation tokens (`setybdet` → `tedbytes`, `uespemos` → `someseu`/`somespeu`, `arenegyl` → `lygenera`, `modnarod` → `dorandom`) indicate the binary deliberately hides string constants from casual inspection. The package is a platform-shard (`win32-x64`) intended to be consumed by a parent `@nolimit-x` package that will spawn the binary on the installer's machine; the binary's purpose does not match any legitimate library function and is undocumented. Doc-mismatch + opaque obfuscated binary + SMTP-abuse string fingerprints together indicate a hostile payload distributed via npm.\n","modified":"2026-05-27T00:31:58.028758164Z","published":"2026-05-25T18:11:32Z","withdrawn":"2026-05-26T21:41:23Z","database_specific":{"malicious-packages-origins":[{"sha256":"343787b335da015be56f49d118534c54bf81abab9e53b40bec0114d23bcc95c7","versions":["1.0.105"],"modified_time":"2026-05-25T18:11:32Z","import_time":"2026-05-26T05:53:12.808968198Z","id":"IN-MAL-2026-004751","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@nolimit-x/win32-x64/v/1.0.105"}],"affected":[{"package":{"name":"@nolimit-x/win32-x64","ecosystem":"npm","purl":"pkg:npm/%40nolimit-x%2Fwin32-x64"},"versions":["1.0.105"],"database_specific":{"indicators":{"package_integrity":[{"filename":"win32-x64-1.0.105.tgz","hashes":{"sha1":"c68869fc38909b0fcd13acdd627dbef487ed498d","sha512_sri":"sha512-LWlMptNnQNg+A3JxybAo39vb+O9ghOuIV9mY9nMNuh1TJ16VbCcqysRdQPY9+5aEXA9kBoccr1xToVn/lLSUxg=="}}],"evidence_files":[{"sha256":"0379344efabb40734abf040b6f3915e3c6c88085ccba6fac727c0961e24a5dc9","tlsh":"dc867c03fab299bcc95ac474865b6232fb31bc894536b7b71ba48b353d63b50670cb05","path":"nolimit-core.exe"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@nolimit-x/win32-x64/MAL-2026-4408.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}