// npm package
@checkstack/backend
versions
58
maintainers
1
license
Elastic-2.0
first publish
2026-01-09
publisher
enyineer
tarball
686,522 B
AUTO-PUBLISHED·4 versions indexed·latest published 2026-06-07
// exfil path
what is read → where it shipssteals
- ● GitHub PAT
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> createWebSocketHandler,
// publisher campaignby enyineer
2 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 1 other package that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @0.18.0· 4 files flagged
- @0.18.0··AUTO-PUBLISHED·publisher: enyineerheuristic 64/100static flags 4llm skippednew-publisher:25dmature-packagepublisher-multi-name-burst:84publisher-version-pump:111reads-env-varsbase64-decodereads-github-tokenschild-process-spawn
// offending code· 4 files flaggedpatterns: 4
--- package/drizzle.config.ts (excerpt) --- import { defineConfig } from "drizzle-kit"; export default defineConfig({ schema: "./src/schema.ts", out: "./drizzle", dialect: "postgresql", dbCredentials: { url: process.env.DATABASE_URL!, }, }); --- package/src/db.ts (excerpt) --- import { drizzle } from "drizzle-orm/node-postgres"; import { Pool, type PoolConfig } from "pg"; import * as schema from "./schema"; import { rootLogger } from "./logger"; // Basic connection string sometimes fails with Bun + pg + docker SASL // parsing manually or relying on pg to pick up ENV variables if we don't pass anything // But we passed connectionString. // Explicitly parse config or fallback to individual env vars to avoid SASL string errors const connectionString = process.env.DATABASE_URL; if (!connectionString) { throw new Error("DATABASE_URL is not defined"); } /** Parse a positive-integer env var, falling back to `fallback` when unset/invalid. */ function intFromEnv(name: string, fallback: number): number { const raw = process.env[name]; if (raw === undefined || raw === "") return fallback; const parsed = Number.parseInt(raw, 10); return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback; } /** * ## Connection budget (read this before bumping the defaults) * * The platform runs as N horizontally-scaled pods sharing ONE Postgres. The * server-wide ceiling is `max_connections`, so the real budget is: * * N_pods * (adminPool.max + lockPool.max) <= max_connections - headroom * * Size the pools off that budget (via the env vars below), NOT off the number * of plugins: connections are never pinned per-plugin. The scoped-db proxy sets * `SET LOCAL search_path` per transaction on a borrowed-then-returned * connection, so a connection --- package/src/index.ts (excerpt) --- import type { Server } from "bun"; import { type Context, Hono } from "hono"; import { TrieRouter } from "hono/router/trie-router"; import { PluginManager } from "./plugin-manager"; import { migrate } from "drizzle-orm/node-postgres/migrator"; import { db } from "./db"; import path from "node:path"; import fs from "node:fs"; import { rootLogger } from "./logger"; import { coreServices, coreHooks } from "@checkstack/backend-api"; import { extractErrorMessage } from "@checkstack/common"; import { plugins } from "./schema"; import { eq, and } from "drizzle-orm"; import { QueuePluginRegistryImpl } from "./services/queue-plugin-registry"; import { QueueManagerImpl } from "./services/queue-manager"; import { CachePluginRegistryImpl } from "./services/cache-plugin-registry"; import { CacheManagerImpl } from "./services/cache-manager"; import { PostgresPluginArtifactStore } from "./services/plugin-artifact-store"; import { DefaultPluginInstallerRegistry } from "./services/plugin-installers/installer-registry"; import { PluginEventRecorder } from "./services/plugin-event-recorder"; import { createPluginManagerRouter } from "./services/plugin-manager-router"; import { pluginManagerAccessRules, pluginMetadata as pluginManagerMetadata, pluginManagerAccess, } from "@checkstack/pluginmanager-common"; import { extractPackageJson, tryExtractBundle, MAX_TARBALL_SIZE_BYTES, } from "./services/plugin-installers/tarball-utils"; import { createWebSocketHandler, SignalServiceImpl, --- package/src/logger.ts (excerpt) --- import { createLogger, format, transports } from "winston"; import path from "node:path"; import fs from "node:fs"; const { combine, timestamp, printf, colorize, json } = format; const devFormat = printf(({ level, message, timestamp, ...meta }) => { const plugin = meta.plugin ? `[${meta.plugin}] ` : ""; // Stringify rest of meta if it exists and isn't just plugin const { plugin: _p, ...rest } = meta; const metaStr = Object.keys(rest).length > 0 ? JSON.stringify(rest) : ""; return `${timestamp} ${level}: ${plugin}${message} ${metaStr}`; }); // Plain text format for file logging (without colors) const fileFormat = printf(({ level, message, timestamp, ...meta }) => { const plugin = meta.plugin ? `[${meta.plugin}] ` : ""; const { plugin: _p, ...rest } = meta; const metaStr = Object.keys(rest).length > 0 ? JSON.stringify(rest) : ""; return `${timestamp} ${level}: ${plugin}${message} ${metaStr}`; }); // Setup file transports for development const developmentTransports: transports.StreamTransportInstance[] = [ new transports.Console(), ]; if (process.env.NODE_ENV !== "production") { // Create logs directory if it doesn't exist const logsDir = path.join(process.cwd(), ".dev", "logs"); if (!fs.existsSync(logsDir)) { fs.mkdirSync(logsDir, { recursive: true }); } // Add file transports developmentTransports.push( // Timestamped log file new transports.File({ filename: path.join( logsDir, `backend-${ new
