// npm package
@adminforth/background-jobs
Background jobs plugin for AdminForth to run and manage long tasks from resources
versions
25
maintainers
6
license
MIT
first publish
2026-02-27
publisher
vanbrosh
tarball
108,147 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-06-05
// exfil path
what is read → where it shipssteals
- ● Slack tokens
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> curl -s -X POST -H "Content-Type: application/json" -d '{
> }' "$DEVELOPERS_SLACK_WEBHOOK"
> curl -sS -X POST -H "Content-Type: application/json" -d '{
> }' "$DEVELOPERS_SLACK_WEBHOOK" 2>&1
> "homepage": "https://adminforth.dev/docs/tutorial/Plugins/background-jobs/",// publisher campaignby vanbrosh
4 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 3 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @1.13.0· 1 file flagged
- @1.13.0··AUTO-PUBLISHED·publisher: vanbroshheuristic 64/100static flags 1llm skippednew-publisher:16dmature-packagepublisher-multi-name-burst:6publisher-version-pump:8reads-slack-tokens
// offending code· 1 file flaggedpatterns: 1
--- package/.woodpecker/buildSlackNotify.sh (excerpt) --- #!/bin/sh set -x COMMIT_SHORT_SHA=$(echo $CI_COMMIT_SHA | cut -c1-8) STATUS=${1} if [ "$STATUS" = "success" ]; then MESSAGE="Did a build without issues on \`$CI_REPO_NAME/$CI_COMMIT_BRANCH\`. Commit: _${CI_COMMIT_MESSAGE}_ (<$CI_COMMIT_URL|$COMMIT_SHORT_SHA>)" curl -s -X POST -H "Content-Type: application/json" -d '{ "username": "'"$CI_COMMIT_AUTHOR"'", "icon_url": "'"$CI_COMMIT_AUTHOR_AVATAR"'", "attachments": [ { "mrkdwn_in": ["text", "pretext"], "color": "#36a64f", "text": "'"$MESSAGE"'" } ] }' "$DEVELOPERS_SLACK_WEBHOOK" exit 0 fi export BUILD_LOG=$(cat ./build.log) BUILD_LOG=$(echo $BUILD_LOG | sed 's/"/\\"/g') MESSAGE="Broke \`$CI_REPO_NAME/$CI_COMMIT_BRANCH\` with commit _${CI_COMMIT_MESSAGE}_ (<$CI_COMMIT_URL|$COMMIT_SHORT_SHA>)" CODE_BLOCK="\`\`\`$BUILD_LOG\n\`\`\`" echo "Sending slack message to developers $MESSAGE" # Send the message curl -sS -X POST -H "Content-Type: application/json" -d '{ "username": "'"$CI_COMMIT_AUTHOR"'", "icon_url": "'"$CI_COMMIT_AUTHOR_AVATAR"'", "attachments": [ { "mrkdwn_in": ["text", "pretext"], "color": "#8A1C12", "text": "'"$CODE_BLOCK"'", "pretext": "'"$MESSAGE"'" } ] }' "$DEVELOPERS_SLACK_WEBHOOK" 2>&1 --- package.json (entry) --- { "name": "@adminforth/background-jobs", "version": "1.13.0", "main": "dist/index.js", "types": "dist/index.d.ts", "type": "module", "homepage": "https://adminforth.dev/docs/tutorial/Plugins/background-jobs/", "publishConfig": { "access": "public" }, "scripts": { "build": "tsc && rsync -av --exclude 'node_modules' custom dist/" }, "keywords": [ "adminforth", "background-jobs", "async-processing", "task-runner", "job-management", "progress-tracking", "long-running-tasks" ], "author": "DevForth (https://devforth.io)", "license": "MIT", "description": "Background jobs plugin for AdminForth to run and manage long tasks from resources", "devDependencies": { "@types/node": "latest", "adminforth": "^2.70.0", "semantic-release": "^24.2.1", "semantic-release-slack-bot": "^4.0.2", "typescript": "^5.7.3" }, "release": { "plugins": [ "@semantic-release/commit-analyzer", "@semantic-release/release-notes-generator", "@semantic-release/npm", "@semantic-release/github", [ "semantic-release-slack-bot", { "packageName": "@adminforth/background-jobs", --- index.js (entry) --- var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; import { AdminForthPlugin, Filters, Sorts } from "adminforth"; import { afLogger } from "adminforth"; import pLimit from 'p-limit'; import { Level } from 'level'; import fs from 'fs/promises'; import { Mutex } from 'async-mutex'; function encodeStateFieldName(fieldName) { return encodeURIComponent(fieldName); } export default class BackgroundJobsPlugin extends AdminForthPlugin { constructor(options) { super(options, import.meta.url); this.taskHandlers = {}; this.onAllTasksDoneHandle
