// npm package
@byline/host-tanstack-start
TanStack Start host adapter for Byline CMS — server fns, auth context, integration glue, admin shell, and route factories
versions
51
maintainers
2
license
MPL-2.0
first publish
2026-05-03
publisher
58bits
tarball
914,788 B
AUTO-PUBLISHED·4 versions indexed·latest published 2026-05-20
// exfil path
what is read → where it shipssteals
- ● Chromium logins
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> "homepage": "https://github.com/Byline-CMS/bylinecms.dev", > "url": "https://github.com/Byline-CMS/bylinecms.dev/issues" > "url": "git+https://github.com/Byline-CMS/bylinecms.dev.git", > * file, You can obtain one at http://mozilla.org/MPL/2.0/. > * file, You can obtain one at http://mozilla.org/MPL/2.0/.
// offending code· @2.2.6· 4 files flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s), 2 other host(s).
- @2.2.6··AUTO-PUBLISHED·publisher: 58bitsheuristic 89/100static flags 3llm benign (0.85) via ollamanew-publisher:1dknown-actor-target:teampcp:tanstackmature-packagepublisher-multi-name-burst:11publisher-version-pump:48public-github-pushreads-chromium-credsreads-env-vars
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s), 2 other host(s).
// offending code· 4 files flaggedpatterns: 3
--- package/package.json (excerpt) --- { "name": "@byline/host-tanstack-start", "private": false, "type": "module", "license": "MPL-2.0", "version": "2.2.6", "engines": { "node": ">=20.9.0" }, "description": "TanStack Start host adapter for Byline CMS — server fns, auth context, integration glue, admin shell, and route factories", "keywords": [ "cms", "headless cms", "content management", "tanstack", "tanstack start" ], "homepage": "https://github.com/Byline-CMS/bylinecms.dev", "bugs": { "url": "https://github.com/Byline-CMS/bylinecms.dev/issues" }, "repository": { "type": "git", "url": "git+https://github.com/Byline-CMS/bylinecms.dev.git", "directory": "packages/host-tanstack-start" }, "sideEffects": [ "**/*.css" ], "types": "./dist/index.d.ts", "module": "./dist/index.js", "main": "./dist/index.js", "files": [ "dist/", "src/" ], "exports": { ".": { "types": "./dist/index.d.ts", "import": "./dist/index.js", "main": "./dist/index.js", "default": "./dist/index.js" }, "./server-fns/admin-account": { "types": "./dist/server-fns/admin-account/index.d.ts", "import": "./dist/server-fns/admin-account/index.js" }, "./server-fns/ai": { "types": "./dist/server-fns/ai/index.d.ts", "import": "./dist/server-fns/ai/index.js" }, "./server-fns/admin-permissions": { "types": "./dist/server-fns/admin-permissions/index.d.ts", "import": "./dist/server --- package/src/index.ts (excerpt) --- /** * This Source Code is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * Copyright (c) Infonomic Company Limited */ /** * `@byline/host-tanstack-start` — TanStack Start host adapter for Byline. * * Houses everything that's framework-coupled to TanStack Start / * Router so the framework-neutral packages (`@byline/core`, `@byline/admin`, * `@byline/client`, `@byline/auth`, `@byline/ui`) stay framework-neutral. * * Surface is exposed via subpath exports rather than a single root barrel * so hosts only pull in what they consume: * * - `@byline/host-tanstack-start/server-fns/<module>` — TanStack Start * server functions for each admin module (admin-account, admin-roles, * admin-users, admin-permissions, auth, collections). * - `@byline/host-tanstack-start/auth/auth-context` — request-scoped * `RequestContext` resolution that reads session cookies, refreshes * transparently, and surfaces `ERR_UNAUTHENTICATED` to callers. * - `@byline/host-tanstack-start/integrations/*` — host-side adapters * binding TanStack Start primitives to the framework-neutral * contracts in `@byline/ui` and `@byline/client` * (`bylineFieldServices`, `bylineAdminServices`, the admin * `BylineClient` singleton). * - `@byline/host-tanstack-start/admin-shell/{chrome,collections,...}` — * router-coupled admin UI: s --- package/src/server-fns/preview/disable.ts (excerpt) --- /** * This Source Code is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * Copyright (c) Infonomic Company Limited */ /** * Disable front-end preview mode by clearing the `byline_preview` cookie. * * No auth check: clearing your own preview cookie is always safe, and * letting an anonymous browser drop a stale cookie is the recovery path * when an admin's session has already lapsed. */ import { createServerFn } from '@tanstack/react-start' import { clearPreviewCookie } from '../../auth/preview-cookies.js' export const disablePreviewModeFn = createServerFn({ method: 'POST' }).handler(async () => { clearPreviewCookie() return { status: 'ok' as const, preview: false as const } }) --- package/src/server-fns/preview/enable.ts (excerpt) --- /** * This Source Code is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * Copyright (c) Infonomic Company Limited */ /** * Enable front-end preview mode for the current admin session. * * Resolves an admin `RequestContext` first — `getAdminRequestContext` * throws `ERR_UNAUTHENTICATED` for non-admin callers, so the cookie is * only ever issued to a valid admin. Once set, the viewer client picks * the cookie up on subsequent requests and elevates the read context. */ import { createServerFn } from '@tanstack/react-start' import { getAdminRequestContext } from '../../auth/auth-context.js' import { setPreviewCookie } from '../../auth/preview-cookies.js' export const enablePreviewModeFn = createServerFn({ method: 'POST' }).handler(async () => { await getAdminRequestContext() setPreviewCookie() return { status: 'ok' as const, preview: true as const } })
