// npm package
weavedb-contracts
versions
90
maintainers
1
license
MIT
first publish
2023-02-26
publisher
asteroiddao
tarball
3,131,531 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-27
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> .toString("base64")
> "url": "https://github.com/iden3/wasmcurves.git"
> along with wasmsnark. If not, see <https://www.gnu.org/licenses/>.
> function stringToBase64(str) {
> return globalThis.btoa(str)// publisher campaignby asteroiddao
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @0.45.3· 4 files flagged
- @0.45.3··AUTO-PUBLISHED·publisher: asteroiddaoheuristic 75/100static flags 4llm skippedmature-packageosv-flagged:MAL-2026-5192child-process-spawnhex-decodepublic-github-pushreads-homedir
// offending code· 4 files flaggedpatterns: 4
--- package/weavedb-bpt/lib/pure.js (excerpt) --- const { complement, concat, without, split, uniq, path: _path, map, isNil, keys, difference, intersection, is, tail, } = require("ramda") let fpjson = require("fpjson-lang") fpjson = fpjson.default || fpjson const isValidID = str => /^[^\/]+$/.test(str) && !/^__.*__+$/.test(str) && !/^\.{1,2}$/.test(str) const isValidLen = (str, len) => len ? len >= str.length : Buffer.byteLength(str, "utf8") <= 1500 const isReserved = str => str === "__tokens__" || str === "__bridge__" const isValidDocName = (str, state) => { return isValidID(str) && isValidLen(str, state.max_doc_id_length) } const isValidName = (str, state) => { return ( isReserved(str) || (isValidID(str) && isValidLen(str, state.max_collection_id_length)) ) } const clone = state => JSON.parse(JSON.stringify(state)) const replace$ = arrs => { if (typeof arrs === "string") { return arrs.slice(0, 2) === "l$" ? ["toLower", { var: arrs.slice(2) }] : arrs.slice(0, 2) === "u$" ? ["toUpper", { var: arrs.slice(2) }] : arrs.slice(0, 2) === "o$" ? [["complement", ["isNil"]], { var: arrs.slice(2) }] : arrs.slice(0, 2) === "x$" ? ["isNil", { var: arrs.slice(2) }] : arrs.slice(0, 2) === "!$" ? ["not", { var: arrs.slice(2) }] : arrs.slice(0, 2) === "$$" ? tail(arrs) : arrs[0] === "$" ? { var: tail(arrs) } : arrs } el --- package/weavedb-bpt/lib/utils.js (excerpt) --- let fpjson = require("fpjson-lang") fpjson = fpjson.default || fpjson const md5 = require("./md5") const { of, mergeLeft, keys, symmetricDifference, uniq, sortBy, identity, reverse, indexOf, prop, assoc, tail, pluck, map, toString, splitWhen, complement, init, is, isNil, slice, includes, last, intersection, append, difference, path: _path, concat, without, } = require("ramda") const { fpj, ac_funcs, clone, isValidName, isValidDocName, setElm, parse: __parse, } = require("./pure") const fn = require("./fn") const { get: _get } = require("./index") const { validate } = require("./jsonschema") const { err, read } = require("./base") const isEvolving = state => !isNil(state.evolveHistory) && !isNil(last(state.evolveHistory)) && isNil(last(state.evolveHistory).newVersion) const getField = (data, path) => { if (path.length === 1) { return [path[0], data] } else { if (isNil(data[path[0]])) data[path[0]] = {} return getField(data[path[0]], tail(path)) } } const genId = async (action, salt, SmartWeave) => { const id = md5( JSON.stringify({ input: action.input, txid: SmartWeave.transaction?.id ?? SmartWeave.block?.height, timestamp: SmartWeave.transaction?.timestamp ?? SmartWeave.block?.timestamp, }), ) return Buffer.from(id, "hex") .toString("base64") .replace(/\//g, "_") .replace(/\+/g, "-") } const mergeDataP = async ( _data, new_ --- package/polygon-id/lib/wasmcurves/package.json (excerpt) --- { "name": "wasmcurves", "version": "0.2.2", "description": "elliptic curves implementations in wasm", "main": "index.js", "scripts": { "lint": "eslint .", "pretest": "npm run lint", "test": "mocha", "build_bn128": "node tools/buildwasm_bn128.js", "build_mnt6753": "node tools/buildwasm_mnt6753.js", "build_bls12381": "node tools/buildwasm_bls12381.js" }, "keywords": [ "bigint", "bignum", "biginteger", "zq", "elliptic", "curve", "prime", "field" ], "author": "Jordi Baylina", "license": "GPL-3.0", "repository": { "type": "git", "url": "https://github.com/iden3/wasmcurves.git" }, "devDependencies": { "eslint": "^8.17.0", "mocha": "^10.0.0" }, "dependencies": { "wasmbuilder": "0.0.16" } } --- package/polygon-id/lib/groth16/threadman.js (excerpt) --- /* Copyright 2019 0KIMS association. This file is part of wasmsnark (Web Assembly zkSnark Prover). wasmsnark is a free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. wasmsnark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with wasmsnark. If not, see <https://www.gnu.org/licenses/>. */ // const MEM_SIZE = 1000; // Memory size in 64K Pakes (512Mb) const MEM_SIZE = 25 // Memory size in 64K Pakes (1600Kb) const thread = require("./threadman_thread.js") //const os = require("os") //const Worker = require("web-worker") class Deferred { constructor() { this.promise = new Promise((resolve, reject) => { this.reject = reject this.resolve = resolve }) } } function sleep(ms) { return new Promise(resolve => setTimeout(resolve, ms)) } function stringToBase64(str) { if (typeof window !== "undefined") { return globalThis.btoa(str) } else { return Buffer.from(str).toString("base64") } } const threadSource = stringToBase64("(" + thread.toString() + ")(self)") const workerSource = "data: --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- polygon-id/lib/js-iden3-core/did-helper.js (bundled) --- const { Constants, DidMethodNetwork, DidMethodByte } = require("./constants") class DIDNetworkFlag { constructor(blockchain, networkId) { this.blockchain = blockchain this.networkId = networkId } static fromString(s) { const [blockchain, networkId] = s.split(":") return new DIDNetworkFlag( blockchain.replace("_", ""), networkId.replace("_", "") ) } } function findNetworkIDForDIDMethodByValue(method, byteNumber) { const methodMap = DidMethodNetwork[method] if (!methodMap) { throw Constants.ERRORS.UNSUPPORTED_DID_METHOD } for (const [key, value] of Object.entries(methodMap)) { if (value === byteNumber) { return DIDNetworkFlag.fromString(key).networkId } } throw Constants.ERRORS.NETWORK_NOT_SUPPORTED_FOR_DID } // findBlockchainForDIDMethodByValue finds blockchain type by byte value function findBlockchainForDIDMethodByValue(method, byteNumber) { const methodMap = DidMethodNetwork[method] if (!methodMap) { throw new Error( `${Constants.ERRORS.NETWORK_NOT_SUPPORTED_FOR_DID}: did method ${method} is not defined in core lib` ) } for (const [key, value] of Object.entries(methodMap)) { if (value === byteNumber) { return DIDNetworkFlag.fromString(key).blockchain } } throw Constants.ERRORS.UNSUPPORTED_BLOCKCHAIN_FOR_DID } // findDIDMethodByValue finds did method by its byte value function findDIDMethodByValue(byteNumber) { for (const [key, value] of Object.entries(DidMethodByte)) { if (value === byteNumber) { return key } } throw Constants.ERRORS.UNSUPPORTED_DID_METHOD } module.exports = { findNetworkIDForDIDMethodByValue, findBlockchainForDIDMethodByValue, findDIDMethodByValue, } --- polygon-id/lib/js-iden3-core/did-parser.js (bundled) --- const initDIDParams = Object.freeze({ method: "", id: "", idStrings: [], params: [], path: "", pathSegments: [], query: "", fragment: "", }) class StringUtils { static isNotValidIDChar(char) { return ( StringUtils.isNotAlpha(char) && StringUtils.isNotDigit(char) && char !== "." && char !== "-" ) } static isNotValidParamChar(char) { return ( StringUtils.isNotAlpha(char) && StringUtils.isNotDigit(char) && char !== "." && char !== "-" && char !== "_" && char !== ":" ) } static isNotValidQueryOrFragmentChar(char) { return StringUtils.isNotValidPathChar(char) && char !== "/" && char !== "?" } static isNotValidPathChar(char) { return ( StringUtils.isNotUnreservedOrSubdelim(char) && char !== ":" && char !== "@" ) } static isNotUnreservedOrSubdelim(char) { switch (char) { case "-": case ".": case "_": case "~": case "!": case "$": case "&": case "'": case "(": case ")": case "*": case "+": case ",": case ";": case "=": return false default: if (StringUtils.isNotAlpha(char) && StringUtils.isNotDigit(char)) { return true } return false } } static isNotHexDigit(char) { return ( StringUtils.isNotDigit(char) && (char < "\x41" || char > "\x46") && (char < "\x61" || char > "\x66") ) } static isNotDigit(char) { // '\x30' is digit 0, '\x39' is digit 9 return char < "\x30" || char > "\x39" } // StringUtils.isNotAlpha returns true if a byte is not a big letter between A-Z or small letter between a-z // https://tools.ietf.org/html/rfc5234#appendix-B.1 static isNotAlpha(char) { return ( StringUtils.isNotSmallLetter(char) && StringUtils.isNotBigLetter(char) ) } // isNotBigLetter returns true if a byte is not a big letter between A-
