// npm package

@antv/xflow

[English (US)](README.md) | 简体中文

npmjs.com tarball repo homepage

versions

103

maintainers

first publish

2021-11-02

publisher

newbyvector

tarball

4,333,809 B

AUTO-PUBLISHED·1 version indexed·latest published 2024-10-28

// exfil path

what is read → where it ships

steals

○ clipboard

sends to

(no destination string extracted — payload may be dynamic / obfuscated)

evidence in excerpt

> !function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("react"),require("react-dom"),require("react-dom/client")):"function"==typeof define&&define.amd?define(["exports"…

→ view full payload

// publisher campaignby newbyvector

9 caught packages from this account

This is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.

// offending code· @2.2.4· 2 files flagged

llm: benign · 0.85

→ No suspicious destination, no remote-exec shape — 15 known-vendor host(s).

@2.2.4·2024-10-28·AUTO-PUBLISHED·publisher: newbyvector

heuristic 75/100

static flags 2

llm benign (0.85) via ollama

mature-packageosv-flagged:MAL-2026-4118public-github-pushclipboard-access

→ No suspicious destination, no remote-exec shape — 15 known-vendor host(s).

// offending code· 2 files flaggedpatterns: 2

--- package/package.json (excerpt) ---
{
  "name": "@antv/xflow",
  "version": "2.2.4",
  "description": "",
  "main": "dist/index.cjs.js",
  "module": "dist/index.esm.js",
  "types": "dist/typing/index.d.ts",
  "private": false,
  "files": [
    "dist",
    "src"
  ],
  "keywords": [
    "xflow",
    "x6",
    "antv"
  ],
  "dependencies": {
    "@antv/x6": "^2.15.3",
    "@antv/x6-plugin-clipboard": "^2.1.6",
    "@antv/x6-plugin-dnd": "^2.1.1",
    "@antv/x6-plugin-export": "^2.1.6",
    "@antv/x6-plugin-history": "^2.2.4",
    "@antv/x6-plugin-keyboard": "^2.2.1",
    "@antv/x6-plugin-minimap": "^2.0.6",
    "@antv/x6-plugin-scroller": "^2.0.10",
    "@antv/x6-plugin-selection": "^2.2.1",
    "@antv/x6-plugin-snapline": "^2.1.7",
    "@antv/x6-plugin-transform": "^2.1.8",
    "@antv/x6-react-shape": "^2.1.1",
    "@tippyjs/react": "^4.2.6",
    "immer": "^10.0.3",
    "lucide-react": "^0.292.0",
    "tippy.js": "^6.3.7",
    "zustand": "^4.4.3",
    "classnames": "^2.3.2"
  },
  "devDependencies": {
    "@types/react": "^18.2.37",
    "@rollup/plugin-commonjs": "^20.0.0",
    "@rollup/plugin-node-resolve": "^13.0.4",
    "@rollup/plugin-replace": "^3.0.0",
    "@rollup/plugin-typescript": "^8.2.5",
    "rollup": "^2.56.3",
    "rollup-plugin-auto-external": "^2.0.0",
    "rollup-plugin-filesize": "^9.1.1",
    "rollup-plugin-postcss": "^4.0.1",
    "rollup-plugin-progress": "^1.1.2",
    "rollup-plugin-terser": "^7.0.2",
    "less": "^4.1.1",
    "@antv/config-tsconfig": "^0.0.0",
    "@antv/config-tsup": "^0.

--- package/src/hooks/useClipboard.ts (excerpt) ---
import type { Clipboard } from '@antv/x6-plugin-clipboard';
import { useCallback } from 'react';

import { useGraphInstance } from './useGraphInstance';
import { useLoaded } from './useLoaded';

export const useClipboard = () => {
  const graph = useGraphInstance();
  const { isLoaded } = useLoaded('clipboard');

  const copy = useCallback(
    (ids: string[], copyOptions?: Clipboard.CopyOptions) => {
      if (isLoaded() && graph) {
        const cells = ids.map((id) => graph?.getCellById(id)).filter(Boolean);
        graph.copy(cells, copyOptions);
      }
    },
    [graph, isLoaded],
  );

  const cut = useCallback(
    (ids: string[], cutOptions?: Clipboard.CopyOptions) => {
      if (isLoaded() && graph) {
        const cells = ids.map((id) => graph?.getCellById(id)).filter(Boolean);
        graph.cut(cells, cutOptions);
      }
    },
    [graph, isLoaded],
  );

  const paste = useCallback(
    (pasteOptions?: Clipboard.PasteOptions) => {
      if (isLoaded() && graph) {
        const cells = graph.paste(pasteOptions);
        return cells;
      }
      return [];
    },
    [graph, isLoaded],
  );

  return { copy, cut, paste };
};


--- bundled output (OSV-MAL flagged — LLM scope expansion) ---

--- dist/index.cjs.js (bundled) ---
"use strict";
var __create = Object.create;
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __getProtoOf = Object.getPrototypeOf;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
var __export = (target, all) => {
  for (var name in all)
    __defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
  if (from && typeof from === "object" || typeof from === "function") {
    for (let key of __getOwnPropNames(from))
      if (!__hasOwnProp.call(to, key) && key !== except)
        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
  }
  return to;
};
var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
  // If the importer is in node compatibility mode or this is not an ESM
  // file that has been converted to a CommonJS file using a Babel-
  // compatible transform (i.e. "__esModule" has not been set), then set
  // "default" to the CommonJS "module.exports" for node compatibility.
  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
  mod
));
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
var __publicField = (obj, key, value) => {
  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
  return value;
};

// src/index.ts
var src_exports = {};
__export(src_exports, {
  Background: () => Background,
  Clipboard: () => Clipboard,
  Control: () => Control,
  ControlEn

--- dist/index.esm.js (bundled) ---
var __defProp = Object.defineProperty;
var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
var __publicField = (obj, key, value) => {
  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
  return value;
};

// src/index.ts
import {
  Graph as Graph2,
  Point as Point2,
  Rectangle,
  Line,
  Path,
  Polyline,
  Dom,
  Vector,
  Markup
} from "@antv/x6";

// src/components/Wrapper.tsx
import React2 from "react";

// src/hooks/useGraphInstance.ts
import { useContext } from "react";

// src/context/GraphContext.tsx
import React, { createContext, useState } from "react";
var GraphContext = createContext({
  graph: null,
  setGraph: () => {
  }
});
var GraphProvider = ({ children }) => {
  const [graph, setGraph] = useState(null);
  return /* @__PURE__ */ React.createElement(GraphContext.Provider, { value: { graph, setGraph } }, children);
};

// src/hooks/useGraphInstance.ts
var useGraphInstance = () => {
  const { graph } = useContext(GraphContext);
  return graph;
};

// src/components/Wrapper.tsx
var Wrapper = ({ children }) => {
  const graph = useGraphInstance();
  if (graph) {
    return /* @__PURE__ */ React2.createElement(React2.Fragment, null, children);
  }
  return null;
};

// src/components/XFlow.tsx
import React4 from "react";

// src/context/StoreContext.tsx
import React3, { createContext as createContext2, useRef } from "react";

// src/store/index.ts
import { StringExt } from "@antv/x6";
import { produce, original } from "immer";
import { create } from "zustand";

// src/util/algorithm.ts
var getSuperGraph = (graph, nodeId, nodeIds = []) => {
  nodeIds.push(nodeId);
  const incomingEdges = graph.getIncomingEdges(nodeId);
  incomingEdges?.forEach((edge) => {
    const source = edge.getSourceCellId();
    getSuperGraph(graph, source, nodeIds);
  });
  return nodeIds;
};
var getSubGraph = (graph, nodeId, nodeIds = []) => {
  node

--- dist/index.umd.js (bundled) ---
!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("react"),require("react-dom"),require("react-dom/client")):"function"==typeof define&&define.amd?define(["exports","react","react-dom","react-dom/client"],e):e((t="undefined"!=typeof globalThis?globalThis:t||self).XFlow={},t.React,t.ReactDOM,t.client)}(this,(function(t,e,n,i){"use strict";function r(t){return t&&"object"==typeof t&&"default"in t?t:{default:t}}var o=r(e);"object"==typeof window&&window.NodeList&&!NodeList.prototype.forEach&&(NodeList.prototype.forEach=Array.prototype.forEach),"undefined"!=typeof window&&[Element.prototype,Document.prototype,DocumentFragment.prototype].forEach((t=>{Object.prototype.hasOwnProperty.call(t,"append")||Object.defineProperty(t,"append",{configurable:!0,enumerable:!0,writable:!0,value(...t){const e=document.createDocumentFragment();t.forEach((t=>{const n=t instanceof Node;e.appendChild(n?t:document.createTextNode(String(t)))})),this.appendChild(e)}})}));class s{get disposed(){return!0===this._disposed}dispose(){this._disposed=!0}}!function(t){t.dispose=function(){return(t,e,n)=>{const i=n.value,r=t.__proto__;n.value=function(...t){this.disposed||(i.call(this,...t),r.dispose.call(this))}}}}(s||(s={}));class a{constructor(){this.isDisposed=!1,this.items=new Set}get disposed(){return this.isDisposed}dispose(){this.isDisposed||(this.isDisposed=!0,this.items.forEach((t=>{t.dispose()})),this.items.clear())}contains(t){return this.items.has(t)}add(t){this.items.add(t)}remove(t){this.items.delete(t)}clear(){this.items.clear()}}!function(t){t.from=function(e){const n=new t;return e.forEach((t=>{n.add(t)})),n}}(a||(a={}));var l="object"==typeof global&&global&&global.Object===Object&&global,c="object"==typeof self&&self&&self.Object===Object&&self,h=l||c||Function("return this")(),u=h.Symbol,d=Object.prototype,p=d.hasOwnProperty,g=d.toString,f=u?u.toStringTag:void 0;var m=Object.prototype.toString;var y="[object Null]",b="[object Undefined]",v=u?u.to

--- dist/typing/index.d.ts (bundled) ---
import { Graph, Point, Rectangle, Line, Path, Polyline, Dom, Vector, Markup } from '@antv/x6';
export * from './components';
export * from './hooks';
export * from './util';
export * from './types';
export * from '@antv/x6-react-shape';
export { Graph, Point, Rectangle, Line, Path, Polyline, Dom, Vector, Markup };
//# sourceMappingURL=index.d.ts.map

--- dist/typing/util/algorithm.d.ts (bundled) ---
import type { Graph } from '@antv/x6';
export declare const getSuperGraph: (graph: Graph, nodeId: string, nodeIds?: string[]) => string[];
export declare const getSubGraph: (graph: Graph, nodeId: string, nodeIds?: string[]) => string[];
//# sourceMappingURL=algorithm.d.ts.map

--- dist/typing/util/index.d.ts (bundled) ---
export * from './algorithm';
export * from './object';
//# sourceMappingURL=index.d.ts.map

--- dist/typing/util/object.d.ts (bundled) ---
type mpObj<T> = {
    [k in keyof T | string | number | symbol]: any;
};
export declare function apply<L, R>(target: mpObj<L>, patchItem: mpObj<R>): Partial<L> & Partial<R>;
export declare function apply<L, R>(target: mpObj<L>, patchItem: mpObj<R>): R;
export declare function apply<L, R>(target: mpObj<L>, patchItem: mpObj<R>): {};
export declare function apply<L, R>(target: mpObj<L>, patchItem: null): null;
export declare function apply<L, R>(target: mpObj<L>, patchItem: string): string;
export declare function apply<L, R>(target: mpObj<L>, patchItem: number): number;
export declare function apply<L, R>(target: mpObj<L>, patchItem: undefined): undefined;
export declare function apply<L, R>(target: mpObj<L>, patchItem: R[]): R[];
export declare function flatten(obj: any, delim?: string, stop?: (val: any) => boolean): {
    [key: string]: any;
};
export {};
//# sourceMappingURL=object.d.ts.map

--- dist/typing/types/index.d.ts (bundled) ---
/// <reference types="react" />
import t