Veredicto:MALICIOUS — Violates CAN-SPAM, CFAA, Computer Misuse Act

▸Visión General

A commercial phishing-as-a-service toolkit distributed via npm for 9 months. Includes DKIM spoofing with stolen private keys, Google/Microsoft OAuth replay attacks, anti-spam fingerprint evasion, SMS phishing via Twilio, QR code phishing, IMAP inbox harvesting, and pre-configured SMTP gateways for major carriers. Functions accept victimList and burnerEmail parameters.

95

Versions Published

9mo

Active Duration

4+

Attack Channels

Ed25519

License System

▸Flujo del Ataque

DKIM Spoofing

Uses stolen private keys to forge DKIM signatures, making phishing emails pass authentication checks.

OAuth Replay

Pre-built attack flows for Google and Microsoft 365 OAuth replay, capturing authorization tokens.

Anti-Detection

HTML mutation, CSS reordering, comment injection, and TLS fingerprint spoofing to evade spam filters.

Multi-Channel

SMS phishing via Twilio, QR code phishing, and IMAP inbox harvesting for credential collection.

Licensing

Ed25519 license system with 7-day server check-ins. This is a commercial product sold to criminals.

▸MITRE ATT&CK Mapeo

T1566.001Spearphishing Attachment — DKIM spoofed emails

T1528Steal Application Access Token — OAuth replay

T1114.002Remote Email Collection — IMAP harvesting

T1598.003Spearphishing Service — SMS/QR phishing

▸Tags

PhishingDKIMOAuthSMSCommercial Malware

▸Informe Completo

Commercial Phishing Toolkit: nolimit-x

TL;DR

nolimit-x is a commercial phishing-as-a-service toolkit sold via npm with 95 versions. It includes DKIM spoofing, Google/Microsoft OAuth replay attacks, anti-spam fingerprint evasion, and SMS phishing via Twilio. Functions accept victimList and burnerEmail parameters.

Package

Name: nolimit-x@1.0.94
Maintainer: nolimitaworkspace (carlweber120@gmail.com)
Versions: 95 (since 2025-07-01 — 9 months active)
Description: "Advanced email sender" (28 chars)
License system: Ed25519 with 7-day server check-ins to localhost:4100

Capabilities (verified from source code)

DKIM Spoofing (src/dkim-spoofer.js)

Generates forged DKIM signatures for arbitrary domains. Loads stolen private keys. Uses VulnerabilityDatabase to find exploitable DKIM configurations.

OAuth Replay Attack (src/real-replay-attack.js)

async setupGoogleOAuthReplay(burnerEmail, burnerPass, phishingMessage, victimList) {
    // Step 1: Create OAuth app with phishing message in name
    // Step 2: Trigger security alert (simulated)
    // Step 3: Setup forwarder transport
    // Step 4: Forward to victims with preserved DKIM
}

Same attack chain for Microsoft 365.

Anti-Spam Fingerprint Evasion (src/fingerprint-evasion.js)

Mutates HTML email content: comment injection, CSS reordering, attribute shuffling, entity swaps. Three intensity levels. Specifically designed to bypass spam filter fingerprinting.

Additional

TLS fingerprint spoofing
SMS phishing via Twilio
QR code phishing
IMAP inbox harvesting
Pre-configured SMTP gateways for AT&T, T-Mobile, Verizon
Hardware ID tracking

Why This Violates npm ToS

npm Acceptable Content policy item 3 prohibits "malicious computer code" and states "exploits and malware that use the npm registry as a deployment or delivery vector are not" acceptable. Item 5 of Acceptable Use: "You will not violate any applicable law." This toolkit facilitates violations of CAN-SPAM Act, CFAA, and Computer Misuse Act.