// npm package

@starmind/collector-cli

拼多多采集 CLI — 无需直连数据库，通过 WORKER_JWT_SECRET 与云端 API 交互

npmjs.com tarball

versions

maintainers

first publish

2026-05-18

publisher

jiulingyun

tarball

240,799 B

AUTO-PUBLISHED·1 version indexed·latest published 2026-05-18

// publisher campaignby jiulingyun

6 caught packages from this account

This is not an isolated catch. The same publisher has shipped 5 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.

// offending code· @0.2.10· no static-pattern hits

llm: benign · 0.85

→ No suspicious destination, no remote-exec shape — 3 known-vendor host(s).

@0.2.10·2026-05-18·AUTO-PUBLISHED·publisher: jiulingyun

heuristic 75/100

static flags 0

llm benign (0.85) via ollama

mature-packageosv-flagged:MAL-2026-3845

→ No suspicious destination, no remote-exec shape — 3 known-vendor host(s).

// offending code· no static-pattern hits

--- package.json (entry) ---
{
  "name": "@starmind/collector-cli",
  "version": "0.2.10",
  "type": "module",
  "description": "拼多多采集 CLI — 无需直连数据库，通过 WORKER_JWT_SECRET 与云端 API 交互",
  "keywords": ["pdd", "pinduoduo", "collector", "cli"],
  "files": ["dist"],
  "bin": {
    "duoduo-collector": "dist/index.js"
  },
  "publishConfig": {
    "access": "public",
    "registry": "https://registry.npmjs.org/"
  },
  "scripts": {
    "build": "tsup",
    "dev": "tsx src/index.ts",
    "lint": "echo \"(collector-cli) lint skipped\"",
    "typecheck": "tsc --noEmit"
  },
  "dependencies": {
    "axios": "^1.7.7",
    "commander": "^12.1.0",
    "dotenv": "^16.4.5",
    "playwright": "^1.44.1",
    "pino": "^9.0.0",
    "pino-pretty": "^11.0.0"
  },
  "devDependencies": {
    "@duoduo/collector-core": "*",
    "@duoduo/shared": "*",
    "@types/node": "^20.12.7",
    "tsup": "^8.3.0",
    "tsx": "^4.7.1",
    "typescript": "^5.4.5"
  },
  "engines": {
    "node": ">=18.18"
  }
}


--- index.js (entry) ---
#!/usr/bin/env node
var __create = Object.create;
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __getProtoOf = Object.getPrototypeOf;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __esm = (fn, res) => function __init() {
  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
};
var __commonJS = (cb, mod) => function __require() {
  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
};
var __export = (target, all) => {
  for (var name in all)
    __defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
  if (from && typeof from === "object" || typeof from === "function") {
    for (let key of __getOwnPropNames(from))
      if (!__hasOwnProp.call(to, key) && key !== except)
        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
  }
  return to;
};
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
  // If the importer is 

--- bundled output (OSV-MAL flagged — LLM scope expansion) ---

--- dist/index.js (bundled) ---
#!/usr/bin/env node
var __create = Object.create;
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __getProtoOf = Object.getPrototypeOf;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __esm = (fn, res) => function __init() {
  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
};
var __commonJS = (cb, mod) => function __require() {
  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
};
var __export = (target, all) => {
  for (var name in all)
    __defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
  if (from && typeof from === "object" || typeof from === "function") {
    for (let key of __getOwnPropNames(from))
      if (!__hasOwnProp.call(to, key) && key !== except)
        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
  }
  return to;
};
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
  // If the importer is in node compatibility mode or this is not an ESM
  // file that has been converted to a CommonJS file using a Babel-
  // compatible transform (i.e. "__esModule" has not been set), then set
  // "default" to the CommonJS "module.exports" for node compatibility.
  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
  mod
));

// ../../node_modules/retry/lib/retry_operation.js
var require_retry_operation = __commonJS({
  "../../node_modules/retry/lib/retry_operation.js"(exports, module) {
    "use strict";
    function RetryOperation(timeouts, options) {
      if (typeof options === "boolean") {
        options = { forever: options };
      }
      this._originalTimeouts = JSON.parse(JSON.stringify(timeouts));
      this._timeouts