Campaign report
36 npm packages from asteroiddao: what our scanner found.
On 2026-05-26 at 01:05 UTC, PkgRadar began flagging packages from npm publisher asteroiddao. 22 distinct packages were classified high-risk within the first two minutes. OSV advisories for the same packages had appeared at 00:59 UTC — six minutes earlier. This write-up documents exactly what our static scanner found and which findings fired.
- First detected by us
- 2026-05-26 01:05 UTC
- First OSV advisory
- 2026-05-26 00:59 UTC (6 min earlier)
- Publisher
- asteroiddao
- Ecosystem
- npm
- Packages flagged
- 36 distinct packages, 38 versions
- Score range
- 12–90 (several at max tier)
The signal: a publisher burst
The first indicator wasn't a single suspicious package — it was the shape of the publish activity. Twenty-two packages from one publisher, all flagged high-risk, within the first two minutes (01:05–01:07 UTC). This coordinated mass-publish shape — what we call a “clob-dropper” — is a campaign fingerprint independent of any individual package's content. Our burst detector fires when five or more high-risk packages from a single publisher appear within ten minutes. This campaign tripped it immediately.
For context: OSV advisories for these packages appeared at 00:59 UTC, six minutes before our scanner processed them. This campaign was not a case where we led public disclosure — it's a case where both OSV and PkgRadar identified the threat within minutes of each other, and our static findings independently corroborate the advisory conclusions with specific artifact evidence.
Selected affected releases
| Package@version | Score | Key finding |
|---|---|---|
[email protected] | 90 | preinstall ./bin/install-deps added vs 0.0.1 |
[email protected] | 90 | preinstall ./scripts/postbuild added vs 1.0.20; 6 MB JS payload |
[email protected] | 65 | postinstall node postinstall.cjs || true added vs 0.40.2; failure suppressed |
[email protected] | 45 | publisher burst correlation |
[email protected] | 45 | publisher burst correlation |
[email protected] | 48 | publisher burst correlation |
The full campaign covers 36 packages including aonote, wdb-sdk, atomic-notes, ai3, wdb-cli, cwao-tools, weavedb-tools, create-arnext-app, weavedb-exm-sdk, roidjs, arnext, and others. View the full publisher history at the asteroiddao publisher page.
What the scanner found
Three packages drove the highest scores through behavioral findings. The remainder were elevated by the publisher-burst correlation — their individual content scores were lower, but the mass-publish context raises the threat model for the entire publisher account.
| Finding kind | Severity | What it means |
|---|---|---|
new_lifecycle_script_vs_previous | High | Preinstall script appeared in [email protected] and [email protected] that was absent in the prior release. Postinstall appeared in [email protected]. Diffing against prior release catches supply-chain compromise that adds execution hooks mid-version-history. |
install_lifecycle_suppresses_failure | High | wao's postinstall uses || true, which silences any non-zero exit code from the script. The script runs; npm install continues regardless of outcome. |
install_lifecycle_script | Low | Bare presence of preinstall/postinstall hooks. Low on its own; stacks with the diff finding and failure suppression to contribute to the overall score. |
known_indicator_filename | High | package/bin/options/bundle.js matched a known-bad filename pattern in our static corpus. |
large_javascript_payload | Medium | [email protected] ships ~6 MB of JavaScript. Large bundles in low-activity packages are a weak corroborating signal. |
Publisher burst (admin signal) | Campaign signal | 22 high-risk packages from one publisher within 2 minutes triggered our burst detector. This coordinated mass-publish shape is a campaign fingerprint independent of any individual package's findings. |
Why the lifecycle diff matters
The highest-confidence finding across this campaign is new_lifecycle_script_vs_previous. This isn't a static string match against the current release — it diffs the new version against the last known-good version and flags when an install-time script appears that wasn't there before.
Legitimate packages rarely add preinstall scripts in patch releases. When one appears in [email protected] invoking ./bin/install-deps and that script was absent in 0.0.1, the finding fires at High severity. The structural change is the signal. We make no claims about what that script does at runtime — that is outside the scope of static analysis.
[email protected]'s postinstall appends || true, which means the script's exit code is suppressed — npm install completes regardless of whether the script succeeds or errors. This pattern fires its own finding independently.
What you should do
- If any of these packages appear in a
package-lock.json: review the OSV advisories for each affected package — they contain the reporter's analysis of runtime behavior, which is outside the scope of what we can determine from static analysis alone. - Audit preinstall and postinstall hooks. Run
npm lsand inspect thescriptssection of everypackage.jsoninnode_modules. Any lifecycle hook you didn't explicitly expect is worth reviewing — especially hooks that appeared in a recent version and weren't present before. - Gate installs in CI. A PkgRadar CI gate set to
fail_on=highwould have blocked every release in this campaign at install time, before any advisory existed.
A note on post-hoc inspection
Two of the three highest-scoring packages — [email protected] and [email protected] — have since been removed from the npm registry (HTTP 404). Their tarballs are no longer retrievable, which means the scripts and binaries they shipped can no longer be inspected. This is a recurring pattern in supply-chain campaigns: by the time a package is publicly flagged and removed, the artifact evidence is gone. Scanning at publish time — before removal — is the only reliable window.
Detection timeline
OSV advisories for these packages first appeared at 00:59 UTC. PkgRadar's scanner processed and classified them starting at 01:05 UTC — six minutes later. Both systems identified the campaign within minutes of each other, working independently: OSV via reporter submission, PkgRadar via static artifact analysis on the npm changes feed.
The value of the static-evidence approach here is corroboration: the findings below (lifecycle diffs, binary exec hooks, failure suppression, known-indicator filenames) are derived entirely from the published tarballs, with no reporter in the loop. A CI gate checking PkgRadar at install time would have blocked these packages automatically, independently of whether an OSV advisory existed.