Static pattern: install-path-npm-publish — 1 caught | Cremit

AUTO-PUBLISHED/pypi/12h ago

pipeline-check@1.1.0

by Daniel Martin

CI/CD Security Posture Scanner — scores AWS, Terraform, CloudFormation, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket Pipelines, Jenkins, CircleCI, Google Cloud Build, Buildkite, Drone CI, Tekton, Argo Workflows, Dockerfile, Kubernetes manifests, Helm charts, OCI image manifests, SCM repo posture (GitHub / GitLab / Bitbucket), npm and pypi dependency files against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks

steals →npm tokenGitHub PATGitLab PATAI API keys

py-pip-install-runtimereads-github-tokensreads-gitlab-tokensreads-ai-api-keysreads-env-varsreads-homedirchild-process-spawnpy-sys-platform-branch+14

→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.

weekly

431

/wk

llm verdict

malicious 0.96

h-score

patterns

size

1.7 MB

versions

AUTO-PUBLISHED/npm/2023-07-12/MAL-2026-4124

@lint-md/core@2.0.0

by yzl520

Core of lint-md which used to lint your markdown file for Chinese.

install-path-npm-publishchild-process-spawn

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

208.1 KB

versions

AUTO-PUBLISHED/npm/2026-04-27/MAL-2026-4068

@antv/mcp-server-antv@0.1.8

by GitHub Actions

MCP Server for AntV visualization libraries development, which provides documentation context and examples for visualization developers.

→ sends tohttps://github.com/antvis/mcp-server-antv

install-path-npm-publishreads-env-vars

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

118.1 KB

versions

AUTO-PUBLISHED/npm/2024-09-06/MAL-2026-4057

@antv/layout-gpu@1.1.7

by iaaron

graph layout algorithm implemented with GPGPU

→ sends tohttps://github.com/antvis/layout

install-path-npm-publish

→ 의심 전송지 없음, 원격 실행 형태 없음 — 2 known-vendor host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

1.1 MB

versions

AUTO-PUBLISHED/npm/2022-12-22/MAL-2026-4048

@antv/l7-react@2.4.3

by lviser

L7-React 已全面升级为 LarkMap,不在进行维护。 LarkMap 空间数据可视分析组件库

→ sends tohttps://github.com/antvis/L7-react

install-path-npm-publishreads-env-vars

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s), 1 other host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

203.5 KB

versions

AUTO-PUBLISHED/npm/2022-02-16/MAL-2026-4047

@antv/l7-pass@1.0.0

by yiqianyao

## Getting Started

install-path-npm-publish

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

3.2 KB

versions

AUTO-PUBLISHED/npm/2024-03-29/MAL-2026-4039

@antv/l7-editor@1.1.13

by yanxiong

Geographic data editing tool based on L7

install-path-npm-publishclipboard-accesseval-dynamicfunction-constructor

weekly

/wk

h-score

patterns

size

1.0 MB

versions

AUTO-PUBLISHED/npm/2024-08-22/MAL-2026-4038

@antv/l7-draw@3.1.5

by yanxiong

A drawing package for L7

install-path-npm-publishreads-env-vars

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

4.9 MB

versions

133

AUTO-PUBLISHED/npm/2023-12-13/MAL-2026-3995

@antv/g6-react-node@1.4.8

by iaaron

Using React Component to Define Your G6 Graph Node

install-path-npm-publish

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

weekly

472

/wk

llm verdict

benign 0.85

h-score

patterns

size

149.9 KB

versions

AUTO-PUBLISHED/npm/2022-03-02/MAL-2026-3872

@antv/dipper-map@1.0.10

by yanxiong

在线 Demo 地址: https://antv.vision/DipperMap/demo

install-path-npm-publishreads-env-varsreads-shell-historyreads-system-infochild-process-spawn

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s), 1 other host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

9.9 MB

versions

AUTO-PUBLISHED/npm/2022-01-21/MAL-2026-3871

@antv/dipper-hooks@0.2.1

by lzxue

## Getting Started

install-path-npm-publish

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

73.4 KB

versions

AUTO-PUBLISHED/npm/2021-11-03/MAL-2026-3870

@antv/dipper-component@0.0.4

by lzxue

## Getting Started

install-path-npm-publish

→ 의심 전송지 없음, 원격 실행 형태 없음 — 3 known-vendor host(s).

weekly

—

/wk

llm verdict

benign 0.85

h-score

patterns

size

130.0 KB

versions