// npm 패키지
@parity/product-sdk-tx
Transaction submission, lifecycle watching, and dev signers for Polkadot chains
버전
9
메인테이너
12
라이선스
Apache-2.0
최초 publish
2026-04-23
publisher
paritytech-ci
tarball
252,360 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-06-03
// exfil path
what is read → where it shipssteals
- ● Seed phrase
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
→ view full payload// publisher 캠페인by paritytech-ci
이 계정에서 catch된 패키지 2건고립된 catch가 아닙니다. 동일 publisher가 1개의 다른 패키지를 추가로 발행했고, 모두 파이프라인이 catch했습니다 — 일회성이 아닌 조직적 캠페인의 형태. 아래 링크는 각 형제 catch의 분석으로 이동합니다.
// offending code· @0.2.7· 1 file flagged
- @0.2.7··AUTO-PUBLISHED·publisher: paritytech-ciheuristic 64/100static flags 1llm skippednew-publisher:21dpublisher-multi-name-burst:10publisher-version-pump:11reads-seed-phrase
// offending code· 1 file flaggedpatterns: 1
--- package/src/dev-signers.ts (excerpt) --- // Copyright 2026 Parity Technologies (UK) Ltd. // SPDX-License-Identifier: Apache-2.0 import { DEV_PHRASE } from "@polkadot-labs/hdkd-helpers"; import { seedToAccount } from "@parity/product-sdk-keys"; import type { PolkadotSigner } from "polkadot-api"; import type { DevAccountName } from "./types.js"; /** * Create a PolkadotSigner for a standard Substrate dev account. * * Dev accounts use the well-known Substrate dev mnemonic (`DEV_PHRASE`) with * Sr25519 key derivation at the path `//{Name}`. These accounts have known * private keys and are pre-funded on dev/test chains. * * Only for local development, scripts, and testing. Never use in production. * * @param name - Dev account name ("Alice", "Bob", "Charlie", "Dave", "Eve", or "Ferdie"). * @returns A PolkadotSigner that can sign transactions. * * @example * ```ts * import { createDevSigner } from "@parity/product-sdk-tx"; * * const alice = createDevSigner("Alice"); * const result = await submitAndWatch(tx, alice); * ``` */ export function createDevSigner(name: DevAccountName): PolkadotSigner { return seedToAccount(DEV_PHRASE, `//${name}`).signer; } /** * Get the public key bytes for a dev account. * * Useful for address derivation or identity checks in tests without * needing the full signer. * * @param name - Dev account name. * @returns 32-byte Sr25519 public key. */ export function getDevPublicKey(name: DevAccountName): Uint8Array { return seedToAccount(DEV_PHRASE, `//${name}`).pub
