@acidify/core
Kotlin NTQQ protocol implementation, ported to JS
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/acidify-acidify-core.mjs | AI (source-diff): Encoded strings are Kotlin/JS transpiler output (decodeVarLenBase64 pattern); stable false positive for this Kotlin-compiled package. | ai | |
| source-diff | net-exec-file:dist/acidify-acidify-core.mjs | AI (source-diff): Large bundled Kotlin/JS stdlib output; polyfill patterns are not malicious network+exec behavior. | ai | |
| source-diff | encoded-string-file:dist/acidify-acidify-core.js | AI (source-diff): Encoded strings are Kotlin/JS compiled Unicode range tables (decodeVarLenBase64), not obfuscated payloads. Stable pattern for this package. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package @acidify/core is a QQ protocol library; name similarity to 'cors' is coincidental, not impersonation. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is a declared runtime dep; likely consumed via bundled output rather than direct import. | ai | |
| phantom-deps | phantom-dep:fflate | AI (phantom-deps): fflate is a declared runtime dep; likely consumed via bundled output rather than direct import. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 1.6.1 | 2 / 2 | |
| 1.6.0 | 2 / 2 | |
| 1.5.1 | 2 / 2 | |
| 1.5.0 | 2 / 2 | |
| 0.7.0 | 1 / 2 | |
| 0.6.1 | 1 / 2 | |
| 0.6.0 | 1 / 2 | |
| 0.5.4 | 1 / 2 | |
| 0.5.3 | 1 / 2 | |
| 0.5.2 | 1 / 2 | |
| 0.5.1 | 1 / 2 | |
| 0.5.0 | 1 / 2 | |
| 0.4.1 | 1 / 2 | |
| 0.4.0 | 1 / 2 | |
| 0.3.4 | 1 / 2 | |
| 0.3.3 | 1 / 2 |
v1.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.0
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.1
2 findingsPackage name '@acidify/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.0
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.4
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.3
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.2
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.1
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.0
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.1
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.4
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.