// npm 패키지
vulnsweep
VulnSweep CLI - npm vulnerability scanner
버전
1
메인테이너
1
최초 publish
2026-06-03
publisher
carlosgalveias
tarball
279,424 B
AUTO-PUBLISHED·3개 버전 인덱싱됨·최근 publish: 2026-06-03
// exfil path
what is read → where it shipssteals
- ● GitHub PAT
- ○ home dir
- ○ system info
sends to
- ⤳ vulnsweep.app(vulnsweep.app (via hostname var))
// offending code· @1.3.4· 1 file flagged
llm: malicious · 0.95→ 크리덴셜 읽기 (reads-github-tokens) + 외부 전송지 dest-via-hostname-var 조합 — 전형적인 유출 패턴.
- @1.3.4··AUTO-PUBLISHED·publisher: carlosgalveiasheuristic 40/100static flags 7llm malicious (0.95) via fast-tracknew-publisher:0dfirst-version-of-packagereads-github-tokensreads-env-varsreads-homedirreads-system-infobase64-decodechild-process-spawndest-via-hostname-var
→ 크리덴셜 읽기 (reads-github-tokens) + 외부 전송지 dest-via-hostname-var 조합 — 전형적인 유출 패턴.
// offending code· 1 file flaggedpatterns: 7
--- package/vulnsweep.js (excerpt) --- #!/usr/bin/env node "use strict";var h=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports);var An=h((cE,$n)=>{"use strict";var{randomUUID:rl}=require("node:crypto"),nl="A-EU-9601263447",sl="https://eu.aptabase.com/api/v0/event",ar=null,pt=[];function ol(){return ar||(ar=rl()),ar}function bn(){return process.env.VULNSWEEP_NO_TELEMETRY==="1"||process.env.DO_NOT_TRACK==="1"}function il(e,t){if(bn()||!e)return;let r={timestamp:new Date().toISOString(),sessionId:ol(),eventName:e,systemProps:{osName:process.platform,osVersion:process.version,appVersion:al(),sdkVersion:"vulnsweep-cli/1.0.0"},props:{...t,source:"cli"}},n=fetch(sl,{method:"POST",headers:{"Content-Type":"application/json","App-Key":nl},body:JSON.stringify(r),signal:globalThis.AbortSignal.timeout(5e3)}).catch(()=>{});return pt.push(n),n}var ft=null;function al(){if(!ft)try{let{readFileSync:e}=require("node:fs"),{resolve:t}=require("node:path");ft=JSON.parse(e(t(__dirname,"./package.json"),"utf8")).version||"unknown"}catch{ft="unknown"}return ft}async function cl(){if(pt.length===0)return;let e=new Promise(t=>setTimeout(t,2e3));await Promise.race([Promise.allSettled(pt),e]),pt.splice(0)}$n.exports={trackEvent:il,isOptedOut:bn,flush:cl}});var _n=h((lE,Rn)=>{"use strict";var{existsSync:In}=require("node:fs"),{resolve:Cn}=require("node:path"),{parseArgs:ll}=require("node:util"),ul={type:["audit","dependency"],format:["cyclonedx","spdx"],"fix-level":["low","high"],"update-level":["low","high"],threshold:["none","critical --- dynamic destinations --- → vulnsweep.app (via hostname-var)
