MAL-2026-4408

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@nolimit-x/win32-x64/MAL-2026-4408.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4408

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-25T18:11:32Z

Modified

2026-05-27T00:31:58.028758164Z

Summary

Malicious code in @nolimit-x/win32-x64 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (343787b335da015be56f49d118534c54bf81abab9e53b40bec0114d23bcc95c7)

Package ships a single 8.1 MB Windows PE (nolimit-core.exe) as its main entry with only the description 'nolimit-x native binary for Windows x64' — no README, no source, no documentation of what the binary does. String analysis of the binary reveals SMTP bulk-mailer / SMTP-credential-checker function-name fingerprints (send_emails, prime_smtps, smtp_configs, shared_body, first_chunk, chunk_offset, successful, all_dead, </script>) consistent with abuse tooling that iterates SMTP credential lists and sends bulk mail. Reversed-string obfuscation tokens (setybdet → tedbytes, uespemos → someseu/somespeu, arenegyl → lygenera, modnarod → dorandom) indicate the binary deliberately hides string constants from casual inspection. The package is a platform-shard (win32-x64) intended to be consumed by a parent @nolimit-x package that will spawn the binary on the installer's machine; the binary's purpose does not match any legitimate library function and is undocumented. Doc-mismatch + opaque obfuscated binary + SMTP-abuse string fingerprints together indicate a hostile payload distributed via npm.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004751",
            "versions": [
                "1.0.105"
            ],
            "sha256": "343787b335da015be56f49d118534c54bf81abab9e53b40bec0114d23bcc95c7",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T18:11:32Z",
            "import_time": "2026-05-26T05:53:12.808968198Z"
        }
    ]
}

References

https://www.npmjs.com/package/@nolimit-x/win32-x64/v/1.0.105

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @nolimit-x/win32-x64

Package

Name: @nolimit-x/win32-x64; View open source insights on deps.dev
Purl: pkg:npm/%40nolimit-x%2Fwin32-x64

Affected ranges

Affected versions

1.*

1.0.105

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "nolimit-core.exe",
            "sha256": "0379344efabb40734abf040b6f3915e3c6c88085ccba6fac727c0961e24a5dc9",
            "tlsh": "dc867c03fab299bcc95ac474865b6232fb31bc894536b7b71ba48b353d63b50670cb05"
        }
    ],
    "package_integrity": [
        {
            "filename": "win32-x64-1.0.105.tgz",
            "hashes": {
                "sha512_sri": "sha512-LWlMptNnQNg+A3JxybAo39vb+O9ghOuIV9mY9nMNuh1TJ16VbCcqysRdQPY9+5aEXA9kBoccr1xToVn/lLSUxg==",
                "sha1": "c68869fc38909b0fcd13acdd627dbef487ed498d"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@nolimit-x/win32-x64/MAL-2026-4408.json"