// npm 패키지
npm-link-up
Use this package to link your projects together for local development.
버전
39
메인테이너
1
라이선스
MIT
최초 publish
2017-04-13
publisher
oresoftware
tarball
186,482 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-06-03
// exfil path
what is read → where it shipssteals
- ● Chromium logins
- ○ system info
sends to
- ⚙ curl | bash(fetches + executes remote payload)
// publisher 캠페인by oresoftware
이 계정에서 catch된 패키지 3건고립된 catch가 아닙니다. 동일 publisher가 2개의 다른 패키지를 추가로 발행했고, 모두 파이프라인이 catch했습니다 — 일회성이 아닌 조직적 캠페인의 형태. 아래 링크는 각 형제 catch의 분석으로 이동합니다.
// offending code· @0.1.325· 3 files flagged
llm: malicious · 0.95→ 정적 분석기가 curl-pipe-bash 패턴 검출 — 설치 경로에 원격 코드 실행 형태가 그대로 드러남.
- @0.1.325··AUTO-PUBLISHED·publisher: oresoftwareheuristic 89/100static flags 4llm malicious (0.95) via fast-trackinstall-scripts:postinstallnew-publisher:0dmature-packagehas-source-repopublisher-multi-name-burst:5publisher-version-pump:6public-github-pushreads-chromium-credsreads-system-infocurl-pipe-bash
→ 정적 분석기가 curl-pipe-bash 패턴 검출 — 설치 경로에 원격 코드 실행 형태가 그대로 드러남.
// offending code· 3 files flaggedpatterns: 4
--- install scripts --- ### postinstall ./assets/postinstall.sh --- package/package.json (excerpt) --- { "name": "npm-link-up", "version": "0.1.325", "bin": { "nlu": "cli/index.sh", "npmlinkup": "cli/index.sh" }, "description": "Use this package to link your projects together for local development.", "main": "dist/index.js", "types": "dist/index.d.ts", "typings": "dist/index.d.ts", "scripts": { "test": "./scripts/test.sh", "postinstall": "./assets/postinstall.sh" }, "repository": { "type": "git", "url": "git+https://github.com/ORESoftware/npm-link-up.git" }, "keywords": [ "npm", "link", "suman", "local", "development", "modules", "modularization" ], "author": "Olegzandr VD", "license": "MIT", "bugs": { "url": "https://github.com/ORESoftware/npm-link-up/issues" }, "homepage": "https://github.com/ORESoftware/npm-link-up#readme", "dependencies": { "@oresoftware/envstr": "0.0.1001", "@oresoftware/shell": "latest", "ajv": "^6.5.1", "async": "^2.6.1", "chalk": "^2.4.1", "dashdash": "^1.14.1", "frankenstop": "latest", "json-stdio": "latest", "mkdirp": "^0.5.1", "prepend-transform": "latest", "residence": "latest", "semver": "^5.6.0", "treeify": "^1.0.1" }, "devDependencies": { "@types/async": "latest", "@types/mkdirp": "^0.5.2", "@types/node": "10.3.5", "@types/semver": "^5.5.0", "rimraf": "^2.6.1" }, "r2g": { "test": "node .r2g/tests/phase-contract.cjs --phase-z" }, "nlu": { "test": "echo 'nlu test --- package/assets/completion.sh (excerpt) --- #!/bin/bash # # Bash completion generated for 'nlu' at Thu Jul 12 2018 14:34:44 GMT-0700 (Pacific Daylight Time). # # The original template lives here: # https://github.com/trentm/node-dashdash/blob/master/etc/dashdash.bash_completion.in # # # Copyright 2016 Trent Mick # Copyright 2016 Joyent, Inc. # # # A generic Bash completion driver script. # # This is meant to provide a re-usable chunk of Bash to use for # "etc/bash_completion.d/" files for individual tools. Only the "Configuration" # section with tool-specific info need differ. Features: # # - support for short and long opts # - support for knowing which options take arguments # - support for subcommands (e.g. 'git log <TAB>' to show just options for the # log subcommand) # - does the right thing with "--" to stop options # - custom optarg and arg types for custom completions # - (TODO) support for shells other than Bash (tcsh, zsh, fish?, etc.) # # # Examples/design: # # 1. Bash "default" completion. By default Bash's 'complete -o default' is # enabled. That means when there are no completions (e.g. if no opts match # the current word), then you'll get Bash's default completion. Most notably # that means you get filename completion. E.g.: # $ tool ./<TAB> # $ tool READ<TAB> # # 2. all opts and subcmds: # $ tool <TAB> # $ tool -v <TAB> # assuming '-v' doesn't take an arg # $ tool -<TAB> # matching opts # $ git lo<TAB> # matching subcmds # # Long opt comp --- package/assets/postinstall.sh (excerpt) --- #!/usr/bin/env bash set -e; if [[ "$skip_postinstall" == "yes" ]]; then echo "skipping nlu postinstall routine."; exit 0; fi export FORCE_COLOR=1; export skip_postinstall="yes"; mkdir -p "$HOME/.nlu/global" || { echo "Could not create .nlu/global dir in user home."; exit 1; } mkdir -p "$HOME/.oresoftware/bin" || { echo "Could not create .oresoftware/bin dir in user home."; exit 1; } if [[ "$(uname -s)" == "Darwin" ]]; then curl --silent -o- https://raw.githubusercontent.com/oresoftware/realpath/master/assets/install.sh | bash || { echo "Could not install realpath on your system."; exit 1; } fi mkdir -p "$HOME/.oresoftware/bash" && { cat "assets/shell.sh" > "$HOME/.oresoftware/bash/nlu.sh" || { echo "Could not copy nlu.sh file to ~/.oresoftware/bash dir."; exit 1; } } mkdir -p "$HOME/.oresoftware/bash" && { cat "assets/completion.sh" > "$HOME/.oresoftware/bash/nlu.completion.sh" || { echo "Could not copy completion.sh file to ~/.oresoftware/bash dir."; exit 1; } } ( if [[ -f "node_modules/@oresoftware/shell/assets/shell.sh" ]]; then cat "node_modules/@oresoftware/shell/assets/shell.sh" > "$HOME/.oresoftware/shell.sh" && { echo "Successfully copied @oresoftware/shell/assets/shell.sh to $HOME/.oresoftware/shell.sh"; exit 0; } fi curl -H 'Cache-Control: no-cache' \ "https://raw.githubusercontent.com/oresoftware/shell/master/assets/shell.sh?$(date +%s)" \ --output "$H
