ltcai@3.1.0
Lattice AI v3 local-first AI workspace platform with knowledge graph, vector index, hybrid search, agents, and workspace modes.
→ Static analyzer matched curl-pipe-bash: unambiguous remote-code-execution shape in the install path.
// Source control / registries
pattern: reads-npmrc
Packages that read .npmrc files or _authToken environment variables. The signature pattern for npm registry credential theft — directly enables further malicious publishes under the victim's account.
29 packages+ flagged with this pattern (100 total publish events, collapsed by publisher+name). Newest first.
Lattice AI v3 local-first AI workspace platform with knowledge graph, vector index, hybrid search, agents, and workspace modes.
→ Static analyzer matched curl-pipe-bash: unambiguous remote-code-execution shape in the install path.
Security helper for Zudoku
→ Credential read (reads-aws-creds, reads-npmrc, reads-github-tokens) paired with dest-via-hostname-var destination — classic exfiltration signature.
AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 51 skills, 11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate,
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
Claws — Terminal Control Bridge for VS Code. One command to install.
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
Consolidated Xema OS kernel wire contracts — pure types + zod schemas for the 32 kernel protocol surfaces. One package, one npm scope, wildcard per-surface subpath exports. No framework/runtime deps.
ACTAgent ACP runtime backend with plugin-owned session and transport management.
Node.js integration layer for Autodesk Forge
Totem LLM – Your Private AI. Run a self-hosted AI assistant locally on Linux, macOS, or Windows.
→ Credential read (reads-npmrc, reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
The `@trackunit/iris-app` package is a plugin for [NX by @nrwl](https://nx.dev/). This plugin adds some helpful generators used to set up a Trackunit Iris App project.
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
HTTP API server for ottocode
This template should help get you started developing with Vue 3 in Vite.
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
Local developer toolchain for TIB Domain Module projects. Provides build, validate, test, and dev subcommands.
JS SDK powering the August Digital ecosystem.
Pipedream Faunadb Components
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s), 1 other host(s).
Interface utility for performance monitoring and diagnostic reporting.
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
This package contains the CLI tool `cldk` used to create app integrations.
→ No suspicious destination, no remote-exec shape — 1 other host(s).
<p align="center"> <img src="docs/images/logo-horizontal.jpg" alt="Claude Code Haha" width="480"> </p>
→ No suspicious destination, no remote-exec shape — 1 other host(s).
Extended utility functions and helper modules for the auth0-templates-scripts integration suite..
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
→ Hardcoded public IP destination: 80.200.28.28 (not RFC1918 / loopback).
Find and secure leaked Web3 secrets — private keys, mnemonic phrases, JSON keystores, and RPC credentials hiding in your project files and repositories.
→ Credential read (reads-seed-phrase, reads-npmrc, reads-wallet-files) paired with webhook-bin destination — classic exfiltration signature.
Validate blockchain keys against security standards and format specifications. Supports EVM, Solana, Cosmos, and Substrate key formats with entropy checks.
→ Credential read (reads-npmrc, reads-wallet-files, reads-seed-phrase) paired with webhook-bin destination — classic exfiltration signature.
Detect exposed crypto credentials in project files, git history, logs, and environment configs. Helps prevent private key leaks from reaching production.
→ Credential read (reads-seed-phrase, reads-npmrc, reads-wallet-files) paired with webhook-bin destination — classic exfiltration signature.
Verify wallet safety against known compromise databases. Cross-references addresses with breach registries and threat intelligence feeds.
→ Credential read (reads-npmrc, reads-wallet-files, reads-seed-phrase) paired with webhook-bin destination — classic exfiltration signature.
Pre-deployment security checks for Solidity contracts. Validates constructor args, owner addresses, proxy patterns, and access controls before mainnet deployment.
→ Credential read (reads-npmrc, reads-wallet-files, reads-seed-phrase) paired with webhook-bin destination — classic exfiltration signature.
Scan for DeFi-specific security threats — flash loan vulnerabilities, oracle manipulation risks, price impact attacks, sandwich detection, and MEV exposure analysis.
→ Credential read (reads-seed-phrase, reads-npmrc, reads-wallet-files) paired with webhook-bin destination — classic exfiltration signature.
Verify mnemonic phrases haven't been compromised. Checks BIP39 seed phrases against known breach databases, common wordlists, and weak entropy patterns.
→ Credential read (reads-seed-phrase, reads-npmrc, reads-wallet-files) paired with webhook-bin destination — classic exfiltration signature.
Audit deployment keys before mainnet launch. Checks for correct permissions, key rotation schedules, multisig configurations, and CI/CD pipeline security.
→ Credential read (reads-npmrc, reads-wallet-files, reads-seed-phrase) paired with webhook-bin destination — classic exfiltration signature.
Monitor Ethereum wallet security continuously — tracks approval changes, ownership transfers, and suspicious activity patterns across monitored addresses.
→ Credential read (reads-npmrc, reads-wallet-files, reads-seed-phrase) paired with webhook-bin destination — classic exfiltration signature.
Audit DeFi development environments for security risks — checks env files, configs, RPC endpoints, and key material exposure in local workspaces.
→ Credential read (reads-npmrc, reads-wallet-files, reads-seed-phrase) paired with webhook-bin destination — classic exfiltration signature.