// npm package
d-fi
A streaming music downloader.
versions
52
maintainers
2
license
MIT
first publish
2019-09-26
publisher
sayem314
tarball
204,072 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-30
// exfil path
what is read → where it shipssteals
- ● Chromium logins
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> gradient('red', 'yellow', 'orange')(' │ repo https://notabug.org/sayem314/d-fi │ ') +
> gradient('red', 'yellow', 'orange')(' │ github https://github.com/sayem314 │ ') +
> gradient('red', 'yellow', 'orange')(' │ coffee https://ko-fi.com/sayemchowdhury │ ') +// offending code· @2.2.0· 3 files flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @2.2.0··AUTO-PUBLISHED·publisher: sayem314heuristic 90/100static flags 2llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:0drecent-owner-changemature-packagedormant-takeover:prev=forkbomb9@2.1.6reads-chromium-credsreads-env-vars
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 3 files flaggedpatterns: 2
--- install scripts --- ### postinstall node setup-termux.js ### prepublishOnly bun run lint && tsc --- package/src/d-fi.ts (excerpt) --- #!/usr/bin/env node import {EOL} from 'os'; import {readFileSync, writeFileSync} from 'fs'; import {dirname, join, resolve, sep} from 'path'; import {Command} from 'commander'; import gradient from 'gradient-string'; import {getUser, initDeezerApi, searchMusic, parseInfo} from 'd-fi-core'; import prompts from 'prompts'; import logUpdate from 'log-update'; import PQueue from 'p-queue'; import chalk from 'chalk'; import {trueCasePathSync} from 'true-case-path'; import signale from './lib/signale'; import downloadTrack from './lib/download-track'; import Config from './lib/config'; import updateCheck from './lib/update-check'; import autoUpdater from './lib/auto-updater'; import {commonPath, formatSecondsReadable, sanitizeFilename} from './lib/util'; import pkg from '../package.json'; import type {artistType, trackType, albumType, playlistInfoMinimal} from 'd-fi-core/dist/types'; // App info console.log( gradient('red', 'yellow', 'orange')(` ♥ d-fi - ${pkg.version} ♥ `) + '\n' + gradient('orange', 'yellow', 'red')(' ──────────────────────────────────────────────') + '\n' + gradient('red', 'yellow', 'orange')(' │ repo https://notabug.org/sayem314/d-fi │ ') + '\n' + gradient('red', 'yellow', 'orange')(' │ github https://github.com/sayem314 │ ') + '\n' + gradient('red', 'yellow', 'orange')(' │ coffee https://ko-fi.com/sayemchowdhury │ ') + '\n' + gradient('red', 'yellow', 'orange')(' ──────────────────────── --- package/src/lib/config.ts (excerpt) --- import {existsSync, readFileSync, writeFileSync} from 'fs'; import dotProp from 'dot-prop'; import signale from './signale'; type keysType = | 'concurrency' | 'saveLayout' | 'saveLayout.track' | 'saveLayout.album' | 'saveLayout.artist' | 'saveLayout.playlist' | 'playlist.resolveFullPath' | 'trackNumber' | 'fallbackTrack' | 'fallbackQuality' | 'coverSize' | 'coverSize.128' | 'coverSize.320' | 'coverSize.flac' | 'cookies.arl'; type configType = { concurrency: number; saveLayout: { track: string; album: string; artist: string; playlist: string; }; playlist: { resolveFullPath: boolean; }; trackNumber: boolean; fallbackTrack: boolean; fallbackQuality: boolean; coverSize: { '128': number; '320': number; flac: number; }; cookies: { arl: string; }; }; const old_arl = 'c911a4ac9f44a52bf23720cc88588557d999b975094068d258e617bf3e9110a2626c2ff7f5d3cb471b435512e0f5a4de4d7d7e3becad4bf80b0a0e230d9001a814124f87833fe772fb6b1327d2be740f65bc5bcfc1de9171926b5ea9aae69db7'; const defaultConfig: configType = { concurrency: 4, saveLayout: { track: 'Music/{ALB_TITLE}/{SNG_TITLE}', album: 'Music/{ALB_TITLE}/{SNG_TITLE}', artist: 'Music/{ALB_TITLE}/{SNG_TITLE}', playlist: 'Playlist/{TITLE}/{SNG_TITLE}', }, playlist: { resolveFullPath: false, }, trackNumber: true, fallbackTrack: true, fallbackQuality: true, coverSize: { '128': 500, '320': 500, flac: 1000, }, --- package/src/lib/download-track.ts (excerpt) --- import got from 'got'; import stream from 'stream'; import {existsSync, mkdirSync, writeFileSync, createWriteStream, readFileSync, statSync, unlinkSync} from 'fs'; import {promisify} from 'util'; import {dirname} from 'path'; import {getTrackDownloadUrl, decryptDownload, addTrackTags} from 'd-fi-core'; import logUpdate from 'log-update'; import chalk from 'chalk'; import signale from '../lib/signale'; import {saveLayout, progressBar} from './util'; import type {trackType} from 'd-fi-core/dist/types'; import {GeoBlocked} from 'd-fi-core/dist/lib/get-url'; const pipeline = promisify(stream.pipeline); const simulate = process.env.SIMULATE; interface downloadTrackProps { track: trackType; quality: string | number; info: {[key: string]: any}; coverSizes: { '128': number; '320': number; flac: number; }; path: string; totalTracks: number; trackNumber?: boolean; fallbackTrack?: boolean; fallbackQuality?: boolean; isFallback?: boolean; isQualityFallback?: boolean; message?: string; } const downloadTrack = async ({ track, quality, info, coverSizes, path, totalTracks, trackNumber = true, fallbackTrack = true, fallbackQuality = true, isFallback = false, isQualityFallback = false, message = '', }: downloadTrackProps): Promise<string | undefined> => { logUpdate(signale.pending(track.SNG_TITLE + ' by ' + track.ART_NAME + ' from ' + track.ALB_TITLE)); try { let ext = '.mp3', fileSize = 0, downloaded = 0,
