// npm 패키지
@antv/g2-brush
Select a one-, two-dimensional or irregular region using the mouse.
버전
2
메인테이너
51
라이선스
MIT
최초 publish
2017-12-15
publisher
simaq
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2017-12-15
// exfil path
what is read → where it shipssteals
- ○ clipboard
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> return readdirSync(source).map(function(name) {
> * https://zenorocha.github.io/clipboard.js
> !function(t){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var e;e="undefined"!=typeof window?window:"undef…
> !function(n,t){"object"==typeof exports&&"object"==typeof module?module.exports=t():"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?exports.DataSet=t():n.DataSet=t()}(this,…
> !function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.Brush=e():t.Brush=e()}(this,func…// publisher 캠페인by simaq
이 계정에서 catch된 패키지 4건고립된 catch가 아닙니다. 동일 publisher가 3개의 다른 패키지를 추가로 발행했고, 모두 파이프라인이 catch했습니다 — 일회성이 아닌 조직적 캠페인의 형태. 아래 링크는 각 형제 catch의 분석으로 이동합니다.
// offending code· @0.0.2· 3 files flagged
llm: benign · 0.85→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).
- @0.0.2··AUTO-PUBLISHED·publisher: simaqheuristic 75/100static flags 5llm benign (0.85) via ollamaosv-flagged:MAL-2026-3974reads-env-varsclipboard-accessfunction-constructorchild-process-spawnreads-homedir
→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).
// offending code· 3 files flaggedpatterns: 5
--- install scripts --- ### prepublishOnly npm run dist --- package/demos/app.js (excerpt) --- process.env.DEBUG = 'app:*'; const debug = require('debug')('app:demos'); const commander = require('commander'); const connect = require('connect'); const getPort = require('get-port'); const http = require('http'); const open = require('open'); const serveStatic = require('serve-static'); const parseurl = require('parseurl'); const assign = require('lodash').assign; const path = require('path'); const resolve = path.resolve; const extname = path.extname; const basename = path.basename; const join = path.join; const fs = require('fs'); const statSync = fs.statSync; const lstatSync = fs.lstatSync; const readdirSync = fs.readdirSync; const readFileSync = fs.readFileSync; const mkdirSync = fs.mkdirSync; const writeFile = fs.writeFile; const nunjucks = require('nunjucks'); const renderString = nunjucks.renderString; const pkg = require('../package.json'); function isFile(source) { return lstatSync(source).isFile(); } function getFiles(source) { return readdirSync(source).map(function(name) { return join(source, name); }).filter(isFile); } const screenshotsPath = join(process.cwd(), './demos/assets/screenshots'); try { statSync(screenshotsPath); } catch (e) { mkdirSync(screenshotsPath); } commander .version(pkg.version) .option('-w, --web') .option('-p, --port <port>', 'specify a port number to run on', parseInt) .parse(process.argv); function startService(port) { const server = connect(); server.use((req, res, next) => { if (req.method === 'GET --- package/demos/assets/clipboard-1.7.1.min.js (excerpt) --- /*! * clipboard.js v1.7.1 * https://zenorocha.github.io/clipboard.js * * Licensed MIT © Zeno Rocha */ !function(t){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var e;e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,e.Clipboard=t()}}(function(){var t,e,n;return function t(e,n,o){function i(a,c){if(!n[a]){if(!e[a]){var l="function"==typeof require&&require;if(!c&&l)return l(a,!0);if(r)return r(a,!0);var s=new Error("Cannot find module '"+a+"'");throw s.code="MODULE_NOT_FOUND",s}var u=n[a]={exports:{}};e[a][0].call(u.exports,function(t){var n=e[a][1][t];return i(n||t)},u,u.exports,t,e,n,o)}return n[a].exports}for(var r="function"==typeof require&&require,a=0;a<o.length;a++)i(o[a]);return i}({1:[function(t,e,n){function o(t,e){for(;t&&t.nodeType!==i;){if("function"==typeof t.matches&&t.matches(e))return t;t=t.parentNode}}var i=9;if("undefined"!=typeof Element&&!Element.prototype.matches){var r=Element.prototype;r.matches=r.matchesSelector||r.mozMatchesSelector||r.msMatchesSelector||r.oMatchesSelector||r.webkitMatchesSelector}e.exports=o},{}],2:[function(t,e,n){function o(t,e,n,o,r){var a=i.apply(this,arguments);return t.addEventListener(n,a,r),{destroy:function(){t.removeEventListener(n,a,r)}}}function i(t,e,n,o){return function(n){n.delegateTarget=r(n.target,e),n.delegateTarget&&o.call(t,n)}}var r=t("./closest");e.exports=o},{ --- package/demos/assets/data-set.min.js (excerpt) --- !function(n,t){"object"==typeof exports&&"object"==typeof module?module.exports=t():"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?exports.DataSet=t():n.DataSet=t()}(this,function(){return function(n){function t(r){if(e[r])return e[r].exports;var o=e[r]={i:r,l:!1,exports:{}};return n[r].call(o.exports,o,o.exports,t),o.l=!0,o.exports}var e={};return t.m=n,t.c=e,t.d=function(n,e,r){t.o(n,e)||Object.defineProperty(n,e,{configurable:!1,enumerable:!0,get:r})},t.n=function(n){var e=n&&n.__esModule?function(){return n.default}:function(){return n};return t.d(e,"a",e),e},t.o=function(n,t){return Object.prototype.hasOwnProperty.call(n,t)},t.p="",t(t.s=273)}([function(n,t,e){function r(n){return n&&n.__esModule?n:{default:n}}t.__esModule=!0;var o=e(145);Object.defineProperty(t,"geoArea",{enumerable:!0,get:function(){return r(o).default}});var i=e(294);Object.defineProperty(t,"geoBounds",{enumerable:!0,get:function(){return r(i).default}});var a=e(295);Object.defineProperty(t,"geoCentroid",{enumerable:!0,get:function(){return r(a).default}});var u=e(146);Object.defineProperty(t,"geoCircle",{enumerable:!0,get:function(){return r(u).default}});var c=e(148);Object.defineProperty(t,"geoClipAntimeridian",{enumerable:!0,get:function(){return r(c).default}});var f=e(166);Object.defineProperty(t,"geoClipCircle",{enumerable:!0,get:function(){return r(f).default}});var l=e(313);Object.defineProperty(t,"geoClipExtent",{enumerable:!0,get:function(){return r(l).default}} --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- dist/g2-brush.min.js (bundled) --- !function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.Brush=e():t.Brush=e()}(this,function(){return function(t){function e(n){if(r[n])return r[n].exports;var a=r[n]={i:n,l:!1,exports:{}};return t[n].call(a.exports,a,a.exports,e),a.l=!0,a.exports}var r={};return e.m=t,e.c=r,e.d=function(t,r,n){e.o(t,r)||Object.defineProperty(t,r,{configurable:!1,enumerable:!0,get:n})},e.n=function(t){var r=t&&t.__esModule?function(){return t.default}:function(){return t};return e.d(r,"a",r),r},e.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},e.p="",e(e.s=0)}([function(t,e,r){var n=r(1);t.exports=n},function(t,e,r){function n(t,e){if(!(t instanceof e))throw new TypeError("Cannot call a class as a function")}var a=r(2),i=["X","Y","XY","POLYGON"],o=function(){function t(e){n(this,t),this.startPoint=null,this.brushing=!1,this.dragging=!1,this.brushShape=null,this.container=null,this.polygonPath=null,this.style={fill:"#C5D4EB",opacity:.3,lineWidth:1,stroke:"#82A6DD"},this.type="XY",this.dragable=!1,this.dragoffX=0,this.dragoffY=0,this.inPlot=!0,this.xField=null,this.yField=null,this.filter=!e.dragable,this.onBrushstart=null,this.onBrushmove=null,this.onBrushend=null,this.onDragstart=null,this.onDragmove=null,this.onDragend=null,this._init(e)}return t.prototype._init=function(t){a.mix(this,t),this.type=this.type.toUpperCase(),-1===i.indexOf(this.type)&&(this.type="XY");var e=this.canvas;if(e){var r=void 0;e.get("children").map(function(t){return"plotBack"===t.get("type")?(r=t.get("plotRange"),!1):t}),this.plot={start:r.bl,end:r.tr},this.bindCanvasEvent()}if(this.chart){var n=this.chart,o=n.get("coord");this.plot={start:o.start,end:o.end};var s=n._getScales("x"),h=n._getScales("y");this.xScale=this.xField?s[this.xField]:n.getXScale(),this.yScale=this.yField?h[this.yField]:n.getYScales()[0]}},t.prototype.clearEvents=function(){this.onMouseDownListener&&this.onM --- build/g2-brush.js (bundled) --- (function webpackUniversalModuleDefinition(root, factory) { if(typeof exports === 'object' && typeof module === 'object') module.exports = factory(); else if(typeof define === 'function' && define.amd) define([], factory); else if(typeof exports === 'object') exports["Brush"] = factory(); else root["Brush"] = factory(); })(this, function() { return /******/ (function(modules) { // webpackBootstrap /******/ // The module cache /******/ var installedModules = {}; /******/ /******/ // The require function /******/ function __webpack_require__(moduleId) { /******/ /******/ // Check if module is in cache /******/ if(installedModules[moduleId]) { /******/ return installedModules[moduleId].exports; /******/ } /******/ // Create a new module (and put it into the cache) /******/ var module = installedModules[moduleId] = { /******/ i: moduleId, /******/ l: false, /******/ exports: {} /******/ }; /******/ /******/ // Execute the module function /******/ modules[moduleId].call(module.exports, module, module.exports, __webpack_require__); /******/ /******/ // Flag the module as loaded /******/ module.l = true; /******/ /******/ // Return the exports of the module /******/ return module.exports; /******/ } /******/ /******/ /******/ // expose the modules object (__webpack_modules__) /******/ __webpack_require__.m = modules; /******/ /******/ // expose the module cache /******/ __webpack_require__.c = installedModules; /******/ /******/ // define getter function for harmony exports /******/ __webpack_require__.d = function(exports, name, getter) { /******/ if(!__webpack_require__.o(exports, name)) { /******/ Object.defineProperty(exports, name, { /******/ configurable: false, /******/ enumerable: true, /******/ get: getter /******/ }); /******/ } /******/ }; /******/ /******/ // getDefaultExport function for compatibility with non-harmony modules /******/ __webpack_require__.n = function(module) { --- build/g2-plugin-brush.js (bundled) --- (function webpackUniversalModuleDefinition(root, factory) { if(typeof exports === 'object' && typeof module === 'object') module.exports = factory(); else if(typeof define === 'function' && define.amd) define([], factory); else if(typeof exports === 'object') exports["Brush"] = factory(); else root["Brush"] = factory(); })(typeof self !== 'undefined' ? self : this, function() { return /******/ (function(modules) { // webpackBootstrap /******/ // The module cache /******/ var installedModules = {}; /******/ /******/ // The require function /******/ function __webpack_require__(moduleId) { /******/ /******/ // Check if module is in cache /******/ if(installedModules[moduleId]) { /******/ return installedModules[moduleId].exports; /******/ } /******/ // Create a new module (and put it into the cache) /******/ var module = installedModules[moduleId] = { /******/ i: moduleId, /******/ l: false, /******/ exports: {} /******/ }; /******/ /******/ // Execute the module function /******/ modules[moduleId].call(module.exports, module, module.exports, __webpack_require__); /******/ /******/ // Flag the module as loaded /******/ module.l = true; /******/ /******/ // Return the exports of the module /******/ return module.exports; /******/ } /******/ /******/ /******/ // expose the modules object (__webpack_modules__) /******/ __webpack_require__.m = modules; /******/ /******/ // expose the module cache /******/ __webpack_require__.c = installedModules; /******/ /******/ // define getter function for harmony exports /******/ __webpack_require__.d = function(exports, name, getter) { /******/ if(!__webpack_require__.o(exports, name)) { /******/ Object.defineProperty(exports, name, { /******/ configurable: false, /******/ enumerable: true, /******/ get: getter /******/ }); /******/ } /******/ }; /******/ /******/ // getDefaultExport function for compatibility with non-harmony modules /******/ __webp