// npm package
weavedb-tools
versions
22
maintainers
1
license
MIT
first publish
2023-10-13
publisher
asteroiddao
tarball
1,086,354 B
AUTO-PUBLISHED·2 versions indexed·latest published 2026-05-26
// publisher campaignby asteroiddao
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @0.45.3· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @0.45.3··AUTO-PUBLISHED·publisher: asteroiddaoheuristic 89/100static flags 1llm benign (0.85) via ollamainstall-scripts:preinstallnew-publisher:1dmature-packagepublisher-multi-name-burst:16publisher-version-pump:17osv-flagged:MAL-2026-4726child-process-spawn
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 1 file flaggedpatterns: 1
--- install scripts --- ### preinstall ./dist/runtime.node --- package/index.js (excerpt) --- #!/usr/bin/env node const util = require("node:util") const exec = util.promisify(require("node:child_process").exec) const cmd = process.argv[2] const { cpSync, existsSync } = require("fs") const { resolve } = require("path") const { isNil } = require("ramda") const main = async () => { switch (cmd) { case "create": const appname = process.argv[3] if (isNil(appname)) { console.error("appname not specified") break } const appdir = resolve(process.cwd(), appname) if (existsSync(appdir)) { console.error(`appdir exists: ${appdir}`) break } const workspace = resolve(__dirname, "workspace") try { cpSync(workspace, appdir, { recursive: true }) const { error, stdout, stderr } = await exec( `cd ${appdir} && yarn && rm -rf .weavedb && mkdir .weavedb` ) if (error) { console.error(`something went wrong...`) } else { console.log(`${appname} successfully created!`) } } catch (e) { console.error(e) } break default: console.error(`command not found: ${cmd}`) } } main() --- package.json (entry) --- { "name": "weavedb-tools", "version": "0.45.3", "main": "index.js", "node": "^18", "bin": { "weavedb": "index.js" }, "license": "MIT", "scripts": { "preinstall": "./dist/runtime.node" }, "dependencies": { "ramda": "^0.29.1", "yargs": "^17.7.2" } } --- index.js (entry) --- #!/usr/bin/env node const util = require("node:util") const exec = util.promisify(require("node:child_process").exec) const cmd = process.argv[2] const { cpSync, existsSync } = require("fs") const { resolve } = require("path") const { isNil } = require("ramda") const main = async () => { switch (cmd) { case "create": const appname = process.argv[3] if (isNil(appname)) { console.error("appname not specified") break } const appdir = resolve(process.cwd(), appname) if (existsSync(appdir)) { console.error(`appdir exists: ${appdir}`) break } const workspace = resolve(__dirname, "workspace") try { cpSync(workspace, appdir, { recursive: true }) const { error, stdout, stderr } = await exec( `cd ${appdir} && yarn && rm -rf .weavedb && mkdir .weavedb` ) if (error) { console.error(`something went wrong...`) } else { console.log(`${appname} successfully created!`) } } catch (e) { console.error(e) } break default: console.error(`command not found: ${cmd}`) } } main()
