// npm package
create-arnext-app
versions
9
maintainers
1
license
MIT
first publish
2024-10-24
publisher
asteroiddao
tarball
321,160 B
AUTO-PUBLISHED·1 version indexed·latest published 2025-01-30
// publisher campaignby asteroiddao
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @0.0.9· 2 files flagged
- @0.0.9··AUTO-PUBLISHED·publisher: asteroiddaoheuristic 75/100static flags 2llm skippedosv-flagged:MAL-2026-4538child-process-spawnreads-env-vars
// offending code· 2 files flaggedpatterns: 2
--- package/index.js (excerpt) --- #!/usr/bin/env node const util = require("node:util") const exec = util.promisify(require("node:child_process").exec) const { cpSync, existsSync } = require("fs") const { resolve } = require("path") const { isNil } = require("ramda") const main = async () => { const appname = process.argv[2] if (isNil(appname)) return console.error("appname not specified") const appdir = resolve(process.cwd(), appname) if (existsSync(appdir)) return console.error(`appdir exists: ${appdir}`) const app = resolve(__dirname, "app") try { cpSync(app, appdir, { recursive: true }) const { error, stdout, stderr } = await exec( `cd ${appdir} && yarn && rm -rf .weavedb && mkdir .weavedb`, ) if (error) { console.error(`something went wrong...`) } else { console.log(`${appname} successfully created!`) } } catch (e) { console.error(e) } } main() --- package/app/index.js (excerpt) --- import _Link from "./link" import { useParams as _useParams } from "./params" import { useRouter as _useRouter } from "./router" import ArNext_ from "./ArNext" export const isArweave = process.env.NEXT_PUBLIC_DEPLOY_TARGET === "arweave" export const Link = _Link export const useParams = _useParams export const useRouter = _useRouter export const ArNext = ArNext_ --- package.json (entry) --- { "name": "create-arnext-app", "version": "0.0.9", "main": "index.js", "node": "^18", "bin": { "weavedb": "index.js" }, "license": "MIT", "dependencies": { "ramda": "^0.29.1", "yargs": "^17.7.2" } } --- index.js (entry) --- #!/usr/bin/env node const util = require("node:util") const exec = util.promisify(require("node:child_process").exec) const { cpSync, existsSync } = require("fs") const { resolve } = require("path") const { isNil } = require("ramda") const main = async () => { const appname = process.argv[2] if (isNil(appname)) return console.error("appname not specified") const appdir = resolve(process.cwd(), appname) if (existsSync(appdir)) return console.error(`appdir exists: ${appdir}`) const app = resolve(__dirname, "app") try { cpSync(app, appdir, { recursive: true }) const { error, stdout, stderr } = await exec( `cd ${appdir} && yarn && rm -rf .weavedb && mkdir .weavedb`, ) if (error) { console.error(`something went wrong...`) } else { console.log(`${appname} successfully created!`) } } catch (e) { console.error(e) } } main()
