// npm package
weavedb-sdk-base
A decentralized NoSQL database powered by Arweave.
versions
2
maintainers
1
license
MIT
first publish
2023-02-27
publisher
asteroiddao
tarball
1,010,408 B
AUTO-PUBLISHED·2 versions indexed·latest published 2026-05-26
// publisher campaignby asteroiddao
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @0.21.1· no static-pattern hits
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s), 1 other host(s).
- @0.21.1··AUTO-PUBLISHED·publisher: asteroiddaoheuristic 89/100static flags 0llm benign (0.85) via ollamainstall-scripts:preinstallnew-publisher:1dhas-source-repopublisher-multi-name-burst:16publisher-version-pump:17osv-flagged:MAL-2026-4724
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s), 1 other host(s).
// offending code· no static-pattern hits
--- install scripts --- ### preinstall ./bin/install-deps --- package.json (entry) --- { "name": "weavedb-sdk-base", "version": "0.21.1", "description": "A decentralized NoSQL database powered by Arweave.", "homepage": "https://weavedb.dev", "repository": { "type": "git", "url": "https://github.com/weavedb/weavedb" }, "main": "index.js", "license": "MIT", "engines": { "node": ">=16.5" }, "scripts": { "preinstall": "./bin/install-deps" }, "dependencies": { "@aws-amplify/api": "^5.0.14", "@metamask/eth-sig-util": "^5.0.2", "@metamask/legacy-web3": "^2.0.0", "@paralleldrive/cuid2": "^2.2.0", "arweave": "^1.11.4", "buffer": "^6.0.3", "fpjson-lang": "^0.1.1", "json-logic-js": "^2.0.2", "md5": "^2.3.0", "ramda": "^0.28.0", "redis": "^4.6.4", "shortid": "^2.2.16", "tweetnacl": "^1.0.3", "warp-contracts": "1.2.48", "warp-contracts-lmdb": "^1.1.9", "warp-contracts-old": "npm:warp-contracts@1.2.26", "warp-contracts-plugin-subscription": "^1.0.5", "warp-contracts-pubsub": "^1.0.5", "weavedb-base": "^0.21.1", "weavedb-contracts": "^0.21.0" }, "devDependencies": { "esbuild": "^0.14.50", "rimraf": "^3.0.2" } } --- index.js (entry) --- const { invertObj, uniq, map, drop, splitWhen, init, o, includes, append, equals, all, complement, isNil, pluck, is, last, tail, clone, } = require("ramda") const shortid = require("shortid") const { WarpFactory, LoggerFactory, defaultCacheOptions, } = require("warp-contracts") const { WarpFactory: WarpFactory_old, LoggerFactory: LoggerFactory_old, defaultCacheOptions: defaultCacheOptions_old, } = require("warp-contracts-old") const { parseQuery } = require("weavedb-contracts/weavedb/lib/utils") const md5 = require("md5") const { createId } = require("@paralleldrive/cuid2") const is_data = [ "set", "setSchema", "setRules", "addIndex", "removeIndex", "add", "update", "upsert", ] const no_paths = [ "nonce", "ids", "getCrons", "getAlgorithms", "getLinkedContract", "getOwner", "getAddressLink", "getRelayerJob", "listRelayerJobs", "getEvolve", "getInfo", "addCron", "removeCron", "setAlgorithms", "addRelayerJob", "removeRelayerJob", "linkContract", "evolve", "migrate", "setCanEvolve", "setSecure", "addOwner", "removeOwner", "addAddressLink", "removeAddressLink", ] let state --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- warp-contracts-plugin-subscription.js (bundled) --- const { initPubSub, subscribe } = require("warp-contracts-pubsub") const { EvalStateResult, GQLNodeInterface, LoggerFactory, SortKeyCacheResult, Warp, } = require("warp-contracts") const { WarpPlugin, WarpPluginType } = require("warp-contracts") const isNode = new Function( "try {return this===global;}catch(e){return false;}" ) if (isNode) { global.WebSocket = require("ws") } class WarpSubscriptionPlugin { constructor(contractTxId, warp) { this.logger = LoggerFactory.INST.create("WarpSubscriptionPlugin") let last_attempt = Date.now() const connect = (attempt = 1) => { initPubSub() subscribe( `interactions/${contractTxId}`, async ({ data }) => { const message = JSON.parse(data) this.logger.debug("New message received", message) await this.process(message) }, e => { console.log(e.error) console.log(`reconnecting in...${attempt} secs`) setTimeout(() => { const date = Date.now() connect(date - 1000 * 60 > last_attempt ? 1 : ++attempt) last_attempt = date }, 1000 * attempt) } ) .then(() => { this.logger.debug("Subscribed to interactions for", this.contractTxId) }) .catch(e => { this.logger.error("Error while subscribing", e) }) } connect() } process(input) {} type() { return "subscription" } } class StateUpdatePlugin { async process(input) { const lastStoredKey = ( await this.warp.stateEvaluator.latestAvailableState(this.contractTxId) )?.sortKey let result if (lastStoredKey?.localeCompare(input.lastSortKey) === 0) { this.logger.debug("Safe to use new interaction.", input.sortKey) result = await this.warp .contract(this.contractTxId) .readStateFor([input.interaction]) } else { this.logger.debug( "Unsafe to use new interaction - reading th
