Code obfuscation paired with outbound network — possible concealed exfil (gentler runtime sibling of the dropper rules)
安全警报
Shoulder生态系统分析的信号——扫描的新软件包、检测到的风险变化和发现的漏洞。
当Shoulder分析软件包并检测到值得审查的信号时会生成警报。每个警报都链接到完整的威胁简报。
Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed
Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed
Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed
OIDC trusted-publisher / SLSA provenance attestation lost vs prior version — publishing pipeline bypassed (account takeover or stolen token signature)
- Publisher email transitioned to a known anonymous-by-design / burner provider — account-takeover signal
- Publisher's current primary email is on a known burner / anonymous-by-design provider — ongoing hijack-shape state (persists across versions; companion to the transition signal)
Import-time bundle the scanner could not fully inspect (streaming fallback on an oversized bundle) whose tarball ballooned sharply vs its last clean release and which carries a runtime execution / exfil surface (eval / shell / network) - uninspectable runtime payload, anomalous for this lineage, failing closed
Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed
Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed
Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed
Bulk env-var sweep + shell exec at runtime — credential-stealer
- Obfuscated shell execution — concealment pattern