npm · Malicious package advisory
Malware@nolimit-x/win32-x64
MAL-2026-4408
Malicious code in @nolimit-x/win32-x64 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (343787b335da015be56f49d118534c54bf81abab9e53b40bec0114d23bcc95c7) Package ships a single 8.1 MB Windows PE (`nolimit-core.exe`) as its `main` entry with only the description 'nolimit-x native binary for Windows x64' — no README, no source, no documentation of what the binary does. String analysis of the binary reveals SMTP bulk-mailer / SMTP-credential-checker function-name fingerprints (`send_emails`, `prime_smtps`, `smtp_configs`, `shared_body`, `first_chunk`, `chunk_offset`, `successful`, `all_dead`, `</script>`) consistent with abuse tooling that iterates SMTP credential lists and sends bulk mail. Reversed-string obfuscation tokens (`setybdet` → `tedbytes`, `uespemos` → `someseu`/`somespeu`, `arenegyl` → `lygenera`, `modnarod` → `dorandom`) indicate the binary deliberately hides string constants from casual inspection. The package is a platform-shard (`win32-x64`) intended to be consumed by a parent `@nolimit-x` package that will spawn the binary on the installer's machine; the binary's purpose does not match any legitimate library function and is undocumented. Doc-mismatch + opaque obfuscated binary + SMTP-abuse string fingerprints together indicate a hostile payload distributed via npm.
Compromised versions (1)
- 1.0.105
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.