Static pattern: reads-env-vars

stripe-internal-utils@1.0.0

Full RCE PoC -osama

→ 의심 전송지로 발송: wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.

did-00916 versions·11.0.5→11.1.8

xxx

→ 의심 전송지로 발송: tjalcgvzuaojvayjfdfh1rtb4ojaobofs.oast.fun.

collected-forms-embed-js2 versions·1.0.2→1.0.5

Full RCE PoC - Alex Birsan Style

→ 의심 전송지로 발송: wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.

pipeline-check@1.1.0

CI/CD Security Posture Scanner — scores AWS, Terraform, CloudFormation, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket Pipelines, Jenkins, CircleCI, Google Cloud Build, Buildkite, Drone CI, Tekton, Argo Workflows, Dockerfile, Kubernetes manifests, Helm charts, OCI image manifests, SCM repo posture (GitHub / GitLab / Bitbucket), npm and pypi dependency files against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks

→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.

openclaw-cn@0.2.0

Openclaw 中文版 - WhatsApp gateway CLI (Baileys web) with Pi RPC agent

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s), 1 other host(s).

jest-electron@0.1.12

Easiest way to run jest unit test cases in electron.

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

echarts-for-react@3.0.7

Apache Echarts components for React.

→ 의심 전송지 없음, 원격 실행 형태 없음 — 2 known-vendor host(s).

@openclaw-cn/cli@1.3.1

The official CLI for OpenClaw-CN Agent ecosystem

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 other host(s).

@antv/torch@1.0.6

torchjs for @antv.

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/s2@2.7.1

effective spreadsheet render core lib

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s), 1 other host(s).

@antv/s2-react@2.3.1

use S2 with react

@antv/narrative-text-vis@0.3.16

React component of interactive narrative text

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/narrative-text-editor@0.2.20

React component of narrative text editor

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/mcp-server-antv@0.1.8

MCP Server for AntV visualization libraries development, which provides documentation context and examples for visualization developers.

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/li-aiearth-assets@0.4.7

Standard Tooling for location insight assets

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/l7-react@2.4.3

L7-React 已全面 升级为 LarkMap,不在进行维护 。 LarkMap 空间数据可视分析组件库

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s), 1 other host(s).

@antv/l7-draw@3.1.5

A drawing package for L7

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/istanbul@0.0.0

Yet another JS code coverage tool that computes statement, line, function and branch coverage with module loader hooks to transparently add coverage when running tests. Supports all JS coverage use cases including unit tests, server side functional tests

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/graphin-components@2.4.1

Components for graphin

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/g6-cli@0.0.4

Scaffolding Your Extension for G6

→ 의심 전송지 없음, 원격 실행 형태 없음 — 4 known-vendor host(s).

@antv/g2-brush@0.0.2

Select a one-, two-dimensional or irregular region using the mouse.

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/f2@5.14.0

Charts for mobile visualization.

→ 의심 전송지 없음, 원격 실행 형태 없음 — 6 known-vendor host(s), 1 other host(s).

@antv/f-engine@1.10.0

FEngine 是 AntV F 系列可视化引擎的底层渲染引擎，为移动端提供了一套完整的渲染、事件、动画能力，能方便的构建可视化 UI

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

@antv/dipper-map@1.0.10

在线 Demo 地址: https://antv.vision/DipperMap/demo

→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s), 1 other host(s).

@antv/ava@3.6.0-alpha.0

A framework for automated visual analytics.

→ 의심 전송지 없음, 원격 실행 형태 없음 — 2 known-vendor host(s).