// npm package
@oml/cli
The cli specific package
versions
42
maintainers
1
first publish
2026-03-14
publisher
melaasar
tarball
328,591 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-06-05
// exfil path
what is read → where it shipssteals
- ● GitHub PAT
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> const CLI_PACKAGE_URL = 'https://registry.npmjs.org/@oml%2fcli';
> import { spawn, execFile, type ChildProcess } from 'node:child_process';// offending code· @0.20.1· 3 files flagged
- @0.20.1··AUTO-PUBLISHED·publisher: melaasarheuristic 64/100static flags 5llm skippednew-publisher:5dmature-packagepublisher-multi-name-burst:5publisher-version-pump:6reads-env-varschild-process-spawnreads-homedirreads-github-tokensbase64-decode
// offending code· 3 files flaggedpatterns: 5
--- package/src/cli.ts (excerpt) --- // Copyright (c) 2026 Modelware. All rights reserved. import chalk from 'chalk'; import { Command } from 'commander'; import * as fs from 'node:fs/promises'; import * as path from 'node:path'; import * as url from 'node:url'; import { OmlCliAuthService } from './auth/auth.js'; import { exportAction } from './commands/export.js'; import { lintAction } from './commands/lint.js'; import { renderAction } from './commands/render.js'; import { codegenAction } from './commands/codegen.js'; import { serverStartAction, serverRunAction, serverStatusAction, serverStopAction, serverListAction } from './commands/server/actions.js'; import { assertServerRunning } from './commands/server/require.js'; import { notifyIfCliUpdateAvailable } from './update.js'; import { validateAction } from './commands/validate.js'; import { CliExitError } from './cli-error.js'; import { trackCommand } from './auth/platform.js'; import { readWorkspaceSettings } from '@oml/server/workspace-settings'; const __dirname = url.fileURLToPath(new URL('.', import.meta.url)); let debugEnabled = false; export interface CliCommandInfo { name: string; description: string; usage?: string; } export function getWorkspaceCommands(): CliCommandInfo[] { return [ { name: 'lint', description: 'lints OML files and prints any syntax or validation errors' }, { name: 'render [options]', description: 'lint the workspace, then render markdown files to static html', --- package/src/update.ts (excerpt) --- // Copyright (c) 2026 Modelware. All rights reserved. import chalk from 'chalk'; const CLI_PACKAGE_NAME = '@oml/cli'; const CLI_PACKAGE_URL = 'https://registry.npmjs.org/@oml%2fcli'; const UPDATE_CHECK_TIMEOUT_MS = 1_200; interface NpmPackageResponse { 'dist-tags'?: { latest?: unknown } } interface ParsedVersion { major: number minor: number patch: number prerelease: string | undefined } export async function notifyIfCliUpdateAvailable(currentVersion: string): Promise<void> { if (!shouldCheckForUpdates()) { return; } try { const latestVersion = await fetchLatestCliVersion(); if (latestVersion === undefined || compareVersions(latestVersion, currentVersion) <= 0) { return; } const updateCommand = `npm install -g ${CLI_PACKAGE_NAME}@latest`; console.error(chalk.yellow( `A newer ${CLI_PACKAGE_NAME} release is available (${currentVersion} -> ${latestVersion}).` )); console.error(chalk.yellow(`Update with: ${updateCommand}`)); } catch { // Ignore update check failures so the CLI command remains unaffected. } } function shouldCheckForUpdates(): boolean { if (process.env.CI !== undefined) { return false; } if (process.env.OML_NO_UPDATE_NOTIFIER === '1') { return false; } return process.stderr.isTTY; } async function fetchLatestCliVersion(): Promise<string | undefined> { const response = awa --- package/src/commands/server/actions.ts (excerpt) --- // Copyright (c) 2026 Modelware. All rights reserved. import * as net from 'node:net'; import * as os from 'node:os'; import * as path from 'node:path'; import * as fs from 'node:fs/promises'; import { constants as FsConstants, realpathSync } from 'node:fs'; import { createHash } from 'node:crypto'; import { createRequire } from 'node:module'; import { spawn, execFile, type ChildProcess } from 'node:child_process'; import { promisify } from 'node:util'; import type { OmlCliAuthService } from '../../auth/auth.js'; import { readWorkspaceSettings } from '@oml/server/workspace-settings'; const DEFAULT_HOST = '127.0.0.1'; const STARTUP_TIMEOUT_MS = 15_000; const SHUTDOWN_TIMEOUT_MS = 3000; const POLL_INTERVAL_MS = 100; const execFileAsync = promisify(execFile); type EntitlementCache = { expiry: number; featureIds: string[]; token?: string; }; type StartServerOptions = { port?: number | string; workspace?: string; auth?: { accessToken: string; }; entitlementCache?: EntitlementCache; }; type ServerStatePaths = { dir: string; lockFile: string; workspaceRoot: string; }; type ServerLockState = { pid: number; port: number; owner?: 'cli' | 'extension'; workspaceRoot?: string; }; function workspaceHash(workspaceRoot: string): string { return createHash('sha256').update(canonicalWorkspacePath(workspaceRoot)).digest('hex'); } function canonicalWorkspacePath(workspaceRoot: string): string { const resolved = p
