→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
weekly
—
/wk
llm verdict
malicious 0.96
h-score
52
patterns
34
size
35.0 MB
versions
292
AUTO-PUBLISHED/npm/
ethsmith@1.0.0
by webpalms
Unified Ethereum dev toolkit — Ganache-compatible API powered by Foundry (Forge + Cast + Anvil + Chisel) with LevelDB persistence
Typed async workflows with automatic error inference. Build type-safe workflows with Result types, step caching, resume state, and human-in-the-loop support.
AdiaUI A2UI training corpus — canonical v0.9 catalog + chunks + eval fixtures + feedback + gap registry. Consumed by the compose engine's retrieval layer + the MCP pipeline.
→ Static analyzer matched curl-pipe-bash: unambiguous remote-code-execution shape in the install path.
weekly
—
/wk
llm verdict
malicious 0.95
h-score
44
patterns
3
size
7.2 MB
versions
1
AUTO-PUBLISHED/npm/
cli-jaw@2.1.3
by bitkyc08
Personal AI assistant powered by Antigravity, AI-E, Claude, Claude E, Codex, Codex App, Cursor, Gemini, Grok, OpenCode, and Copilot — Web, Terminal, Telegram, and Discord interfaces with 107 built-in skills
steals →AI API keys1PasswordTelegram→ sends tohttps://github.com/lidge-jun/cli-jaw.git