// npm package
@antv/istanbul
Yet another JS code coverage tool that computes statement, line, function and branch coverage with module loader hooks to transparently add coverage when running tests. Supports all JS coverage use cases including unit tests, server side functional tests
versions
1
maintainers
51
license
BSD-3-Clause
first publish
2019-04-02
publisher
dxq613
tarball
306,098 B
AUTO-PUBLISHED·1 version indexed·latest published 2019-04-02
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
→ view full payload// publisher campaignby dxq613
3 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 2 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @0.0.0· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @0.0.0··AUTO-PUBLISHED·publisher: dxq613heuristic 75/100static flags 2llm benign (0.85) via ollamafirst-version-of-packageosv-flagged:MAL-2026-4031reads-env-varsreads-homedir
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 1 file flaggedpatterns: 2
--- package/lib/store/tmp.js (excerpt) --- /* Copyright (c) 2012, Yahoo! Inc. All rights reserved. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ var util = require('util'), path = require('path'), os = require('os'), fs = require('fs'), mkdirp = require('mkdirp'), Store = require('./index'); function makeTempDir() { var dir = path.join(os.tmpdir ? os.tmpdir() : /* istanbul ignore next */ (process.env.TMPDIR || '/tmp'), 'ts' + new Date().getTime()); mkdirp.sync(dir); return dir; } /** * a `Store` implementation using temporary files. * * Usage * ----- * * var store = require('istanbul').Store.create('tmp'); * * * @class TmpStore * @extends Store * @module store * @param {Object} opts Optional. * @param {String} [opts.tmp] a pre-existing directory to use as the `tmp` directory. When not specified, a random directory * is created under `os.tmpdir()` * @constructor */ function TmpStore(opts) { opts = opts || {}; this.tmp = opts.tmp || makeTempDir(); this.map = {}; this.seq = 0; this.prefix = 't' + new Date().getTime() + '-'; } TmpStore.TYPE = 'tmp'; util.inherits(TmpStore, Store); Store.mix(TmpStore, { generateTmpFileName: function () { this.seq += 1; return path.join(this.tmp, this.prefix + this.seq + '.tmp'); }, set: function (key, contents) { var tmpFile = this.generateTmpFileName(); fs.writeFileSync(tmpFile, contents, 'utf8'); this.m --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- lib/register-plugins.js (bundled) --- /* Copyright (c) 2012, Yahoo! Inc. All rights reserved. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ var Store = require('./store'), Report = require('./report'), Command = require('./command'); Store.loadAll(); Report.loadAll(); Command.loadAll(); --- lib/util/file-matcher.js (bundled) --- /* Copyright (c) 2012, Yahoo! Inc. All rights reserved. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ var async = require('async'), glob = require('glob'), fs = require('fs'), path = require('path'), seq = 0; function filesFor(options, callback) { if (!callback && typeof options === 'function') { callback = options; options = null; } options = options || {}; var root = options.root, includes = options.includes, excludes = options.excludes, realpath = options.realpath, relative = options.relative, opts; root = root || process.cwd(); includes = includes && Array.isArray(includes) ? includes : [ '**/*.js' ]; excludes = excludes && Array.isArray(excludes) ? excludes : [ '**/node_modules/**' ]; opts = { cwd: root, nodir: true, ignore: excludes }; seq += 1; opts['x' + seq + new Date().getTime()] = true; //cache buster for minimatch cache bug glob(includes.join(' '), opts, function (err, files) { if (err) { return callback(err); } if (relative) { return callback(err, files); } if (!realpath) { files = files.map(function (file) { return path.resolve(root, file); }); return callback(err, files); } var realPathCache = module.constructor._realpathCache || {}; async.map(files, function (file, done) { fs.realpath(path.resolve(root, file), realPathCache, done); }, callback); }); } function matcherFor(options, callback) { if (!callback && typeof options === 'function') { callback = options; options = null; } options = options || {}; options.relative = false; //force absolute paths options.realpath = true; //force real paths (to match Node.js module paths) filesFor(options, function (err, files) { var fileMap = {}, matchFn; if (err) { return ca --- lib/util/file-writer.js (bundled) --- /* Copyright (c) 2012, Yahoo! Inc. All rights reserved. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ var path = require('path'), util = require('util'), fs = require('fs'), async = require('async'), mkdirp = require('mkdirp'), writer = require('./writer'), Writer = writer.Writer, ContentWriter = writer.ContentWriter; function extend(cons, proto) { Object.keys(proto).forEach(function (k) { cons.prototype[k] = proto[k]; }); } function BufferedContentWriter() { ContentWriter.call(this); this.content = ''; } util.inherits(BufferedContentWriter, ContentWriter); extend(BufferedContentWriter, { write: function (str) { this.content += str; }, getContent: function () { return this.content; } }); function StreamContentWriter(stream) { ContentWriter.call(this); this.stream = stream; } util.inherits(StreamContentWriter, ContentWriter); extend(StreamContentWriter, { write: function (str) { this.stream.write(str); } }); function SyncFileWriter() { Writer.call(this); } util.inherits(SyncFileWriter, Writer); extend(SyncFileWriter, { writeFile: function (file, callback) { mkdirp.sync(path.dirname(file)); var cw = new BufferedContentWriter(); callback(cw); fs.writeFileSync(file, cw.getContent(), 'utf8'); }, done: function () { this.emit('done'); //everything already done } }); function AsyncFileWriter() { this.queue = async.queue(this.processFile.bind(this), 20); this.openFileMap = {}; } util.inherits(AsyncFileWriter, Writer); extend(AsyncFileWriter, { writeFile: function (file, callback) { this.openFileMap[file] = true; this.queue.push({ file: file, callback: callback }); }, processFile: function (task, cb) { var file = task.file, userCallback = task.callback, that = this, st --- lib/util/help-formatter.js (bundled) --- /* Copyright (c) 2012, Yahoo! Inc. All rights reserved. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ var OPT_PREFIX = " ", OPT_START = OPT_PREFIX.length, TEXT_START = 14, STOP = 80, wrap = require('wordwrap')(TEXT_START, STOP), paraWrap = require('wordwrap')(1, STOP); function formatPara(text) { return paraWrap(text); } function formatOption(option, helpText) { var formattedText = wrap(helpText); if (option.length > TEXT_START - OPT_START - 2) { return OPT_PREFIX + option + '\n' + formattedText; } else { return OPT_PREFIX + option + formattedText.substring((OPT_PREFIX + option).length); } } module.exports = { formatPara: formatPara, formatOption: formatOption }; --- lib/util/tree-summarizer.js (bundled) --- /* Copyright (c) 2012, Yahoo! Inc. All rights reserved. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ var path = require('path'), SEP = path.sep || '/', utils = require('../object-utils'); function commonArrayPrefix(first, second) { var len = first.length < second.length ? first.length : second.length, i, ret = []; for (i = 0; i < len; i += 1) { if (first[i] === second[i]) { ret.push(first[i]); } else { break; } } return ret; } function findCommonArrayPrefix(args) { if (args.length === 0) { return []; } var separated = args.map(function (arg) { return arg.split(SEP); }), ret = separated.pop(); if (separated.length === 0) { return ret.slice(0, ret.length - 1); } else { return separated.reduce(commonArrayPrefix, ret); } } function Node(fullName, kind, metrics) { this.name = fullName; this.fullName = fullName; this.kind = kind; this.metrics = metrics || null; this.parent = null; this.children = []; } Node.prototype = { displayShortName: function () { return this.relativeName; }, fullPath: function () { return this.fullName; }, addChild: function (child) { this.children.push(child); child.parent = this; }, toJSON: function () { return { name: this.name, relativeName: this.relativeName, fullName: this.fullName, kind: this.kind, metrics: this.metrics, parent: this.parent === null ? null : this.parent.name, children: this.children.map(function (node) { return node.toJSON(); }) }; } }; function TreeSummary(summaryMap, commonPrefix) { this.prefix = commonPrefix; this.convertToTree(summaryMap, commonPrefix); } TreeSummary.prototype = { getNode: function (shortName) { re --- lib/report/json-summary.js (bundled) --- /* Copyright (c) 2012, Yahoo! Inc. All rights reserved. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ var path = require('path'), objectUtils = require('../object-utils'), Writer = require('../util/file-writer'), util = require('util'), Report = require('./index'); /** * a `Report` implementation that produces a coverage JSON object with summary info only. * * Usage * ----- * * var report = require('istanbul').Report.create('json-summary'); * * * @class JsonSummaryReport * @extends Report * @module report * @constructor * @param