// npm 패키지

@antv/torch

torchjs for @antv.

npmjs.com tarball repo homepage

버전

메인테이너

라이선스

ISC

최초 publish

2019-04-02

publisher

atool

tarball

39,784 B

AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2019-09-05

// exfil path

what is read → where it ships

steals

● Chromium logins

sends to

(no destination string extracted — payload may be dynamic / obfuscated)

evidence in excerpt

> const spawn = require('child_process').spawn;
> const child = spawn(electron, args);
> child.stderr.on('data', function(data) {

→ view full payload

// publisher 캠페인by atool

이 계정에서 catch된 패키지 9건

고립된 catch가 아닙니다. 동일 publisher가 8개의 다른 패키지를 추가로 발행했고, 모두 파이프라인이 catch했습니다 — 일회성이 아닌 조직적 캠페인의 형태. 아래 링크는 각 형제 catch의 분석으로 이동합니다.

// offending code· @1.0.6· 3 files flagged

llm: benign · 0.85

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@1.0.6·2019-09-05·AUTO-PUBLISHED·publisher: atool

heuristic 75/100

static flags 3

llm benign (0.85) via ollama

publisher-multi-name-burst:5osv-flagged:MAL-2026-4090reads-chromium-credsreads-env-varschild-process-spawn

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

// offending code· 3 files flaggedpatterns: 3

--- package/package.json (excerpt) ---
{
  "name": "@antv/torch",
  "version": "1.0.6",
  "description": "torchjs for @antv.",
  "author": "wensen.lws <wensen.lws@alibaba-inc.com>",
  "homepage": "",
  "license": "ISC",
  "main": "index.js",
  "bin": {
    "torch-coverage": "./bin/coverage.js",
    "torch": "./bin/torch.js"
  },
  "directories": {
    "lib": "lib",
    "test": "__tests__"
  },
  "files": [
    "bin",
    "lib",
    "renderer"
  ],
  "publishConfig": {
    "access": "public"
  },
  "repository": {
    "type": "git",
    "url": "git@github.com:antvis/tools.git"
  },
  "scripts": {
    "coverage": "npm run coverage-generator && npm run coverage-viewer",
    "coverage-generator": "node bin/torch --compile --coverage --renderer --recursive __tests__/renderer",
    "coverage-viewer": "node bin/coverage",
    "test": "npm run test-main && npm run test-renderer && npm run test-http",
    "test-main": "node bin/torch --compile --dom-global __tests__/main",
    "test-renderer": "node bin/torch --compile --renderer --notify-on-fail __tests__/renderer",
    "test-live": "node bin/torch --compile --interactive __tests__/renderer",
    "test-http": "node bin/torch --dom-global --compile --http __tests__/main",
    "test-http-live": "node bin/torch --compile --http --interactive __tests__/renderer",
    "ci": "npm run lint && npm run test"
  },
  "dependencies": {
    "@antv/istanbul": "^0.0.0",
    "@babel/core": "^7.0.0",
    "@babel/preset-env": "^7.0.0",
    "@babel/register": "^7.0.0",
    "babel-plugin-ist

--- package/renderer/run.js (excerpt) ---
const {
  resolve,
  dirname,
} = require('path');
const mocha = require('mocha');
const {
  writeFileSync,
} = require('fs');
const {
  mkdir,
} = require('macaca-utils');
const {
  ipcRenderer,
  remote,
} = require('electron');
// require('electron-cookies');
const notify = require('../lib/notify');
const Coverage = require('../lib/coverage');
const runMocha = require('../lib/runMocha');
const remoteConsole = remote.require('console');

let opts = {};

if (window.location.hash) {
  const hash = window.location.hash.slice(1);
  opts = JSON.parse(decodeURIComponent(hash));
}

if (opts.interactive) {
  const pkg = require('../package');
  // eslint-disable-next-line
  console.log(`${pkg.name}(${pkg.version}) run with protocol '${window.location.protocol}'`);
} else {
  require('./console');
}

let coverage;
if (opts.coverage) {
  try {
    coverage = new Coverage(opts.root, opts.sourcePattern);
  } catch (e) {
    remoteConsole.error(e);
  }
}

// Expose mocha
window.mocha = mocha;

function reportError({
  message,
  stack,
}) {
  if (opts.interactive) {
    console.error(message);
    console.error(stack);
  } else {
    ipcRenderer.send('mocha-error', {
      message,
      stack,
    });
  }
}

// TODO compile
if (opts.compile) {
  require('../lib/requireHook')(opts.compileOpts);
}

ipcRenderer.on('mocha-start', () => {
  try {
    runMocha(opts, (count) => {
      if (count && opts.notifyOnFail) {
        notify(count);
      }
      if (coverage) {
        try {
       

--- package/lib/launchElectronApp.js (excerpt) ---
const spawn = require('child_process').spawn;
const which = require('which');

function resolveModule(module, resolver) {
  try {
    return (resolver || require)(module);
  } catch (_) {
    // ignore
  }
}

const electron = process.env.ELECTRON_PATH ||
  resolveModule('electron') ||
  resolveModule('electron-prebuilt') ||
  resolveModule('electron', which.sync);

if (!electron) {
  console.error('');
  console.error('  Can not find `electron` in the $PATH and $ELECTRON_PATH is not set.');
  console.error('  Please either set $ELECTRON_PATH or `npm install electron`.');
  console.error('');
  process.exit(1);
}

module.exports = appPath => {
  const args = process.argv.slice(2);
  args.unshift(appPath);

  const child = spawn(electron, args);
  child.stdout.pipe(process.stdout);
  process.stdin.pipe(child.stdin);

  child.stderr.on('data', function(data) {
    const str = data.toString('utf8');
    // it's Chromium, STFU
    if (str.match(/^\[\d+:\d+/)) {
      return;
    }
    process.stderr.write(data);
  });
  child.on('exit', code => {
    process.exit(code);
  });
};