@akinon/ui-shell-dev
Development shell application for Akinon UI Protocol plugins
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/assets/index-DoWxl4fH.js | AI (source-diff): Vite-bundled React frontend output; minification is expected for this package's dist artifacts. | ai | |
| source-diff | net-exec-file:dist/assets/index-DoWxl4fH.js | AI (source-diff): Network calls are modulepreload polyfill fetches; dynamic execution is standard React runtime — not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-JnMA6cFT.js | AI (source-diff): Standard Vite minified bundle output; browser-ponyfill is a well-known fetch polyfill, not malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DCXVq4S-.js | AI (source-diff): Standard Vite minified bundle; samples show React runtime and modulepreload polyfill, normal frontend build artifact. | ai | |
| source-diff | net-exec-file:dist/assets/index-DCXVq4S-.js | AI (source-diff): Network calls are fetch() for modulepreload; no dynamic code execution beyond normal module loading patterns in a Vite bundle. | ai | |
| source-diff | net-exec-file:dist/assets/index-DtEmgDOa.js | AI (source-diff): Network calls are modulepreload fetch polyfill; dynamic code patterns are standard React/Vite bundle patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DtEmgDOa.js | AI (source-diff): Vite-bundled SPA asset containing React and UI components; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-Ap_gQ62s.js | AI (source-diff): Standard Vite-minified build output for a UI shell; fetch-ponyfill bundle, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BGFvqk6X.js | AI (source-diff): Standard Vite production bundle; minified output is expected for this UI shell package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BGFvqk6X.js | AI (source-diff): Network+exec pattern is browser fetch + modulepreload in a Vite bundle; not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/assets/index-lG7-MI19.js | AI (source-diff): Network calls are modulepreload fetch polyfill; dynamic code is React rendering — normal frontend bundle pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-lG7-MI19.js | AI (source-diff): Standard Vite production bundle containing React and UI shell code; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-BEZ5u7Iv.js | AI (source-diff): Standard Vite-minified browser polyfill bundle; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-CDUI6TEB.js | AI (source-diff): Network calls and dynamic code are standard React SPA bundle patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CDUI6TEB.js | AI (source-diff): Vite-bundled SPA output; minification is expected for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-D6a6pO8M.js | AI (source-diff): Network call is modulepreload fetch polyfill in Vite bundle; no dynamic code execution beyond normal React rendering. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D6a6pO8M.js | AI (source-diff): Standard Vite/React production bundle; minified not obfuscated. Expected artifact for this UI shell package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DAU00iTN.js | AI (source-diff): Standard Vite production bundle; minified React code with license headers, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-DAU00iTN.js | AI (source-diff): Network calls are fetch() for modulepreload; dynamic code is standard React/Vite bundle patterns, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/assets/index-DHg_jhdM.js | AI (source-diff): fetch() is used for modulepreload prefetching in the Vite bundle; no dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DHg_jhdM.js | AI (source-diff): Standard Vite minified bundle for a UI shell app; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BVTQ9FC8.js | AI (source-diff): Vite production bundle containing React and Akinon UI libs; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-CAmmUYfz.js | AI (source-diff): Vite-minified browser fetch ponyfill; standard build output for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BVTQ9FC8.js | AI (source-diff): Network calls are modulepreload fetch polyfill; dynamic code execution is React/Vite runtime — no malware indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C1-YnYpJ.js | AI (source-diff): Standard Vite production bundle containing React and app code; minification is expected for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-C1-YnYpJ.js | AI (source-diff): fetch() calls are Vite's modulepreload polyfill; no dynamic code execution beyond normal React rendering. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-Cdu83Cfw.js | AI (source-diff): Standard Vite minified build output; browser-ponyfill is a well-known fetch polyfill bundled by Vite. | ai | |
| source-diff | net-exec-file:dist/assets/index-CNgx52S6.js | AI (source-diff): fetch() calls are part of Vite's modulepreload polyfill in the bundled output, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CNgx52S6.js | AI (source-diff): Standard Vite/React production bundle; minification is expected for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-9EiNW7dc.js | AI (source-diff): Network calls are module preload fetch polyfill; no dynamic code execution beyond normal React rendering. | ai | |
| source-diff | obfuscated-file:dist/assets/index-9EiNW7dc.js | AI (source-diff): Standard Vite production bundle containing React and UI components; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-BxfB6fPc.js | AI (source-diff): Standard Vite-bundled fetch polyfill; minification is expected for this UI shell build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-DUPB2glR.js | AI (source-diff): Standard Vite-minified browser polyfill bundle; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DxAcDLRC.js | AI (source-diff): Standard Vite-minified frontend bundle containing React and UI components. | ai | |
| source-diff | net-exec-file:dist/assets/index-DxAcDLRC.js | AI (source-diff): Network calls are fetch() for modulepreload; dynamic code is React JSX runtime — normal browser bundle pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-C7mNkN6z.js | AI (source-diff): Standard Vite-minified browser polyfill bundle; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BJpkWK4Z.js | AI (source-diff): Standard Vite-minified React app bundle; contains React JSX runtime and modulepreload polyfill. | ai | |
| source-diff | net-exec-file:dist/assets/index-BJpkWK4Z.js | AI (source-diff): Network calls are fetch() for modulepreload; no dynamic code execution beyond normal React rendering. | ai | |
| source-diff | net-exec-file:dist/assets/index-BnvPCrbb.js | AI (source-diff): Network calls are modulepreload fetch polyfill; no dynamic code execution beyond normal React rendering. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BnvPCrbb.js | AI (source-diff): Standard Vite production bundle; minified JS is expected for this frontend shell package. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-BGsv3mgF.js | AI (source-diff): Browser fetch ponyfill bundled by Vite; minification is expected and content is benign. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BsChIOYn.js | AI (source-diff): Standard Vite production bundle with React; minification is expected for this UI shell package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BsChIOYn.js | AI (source-diff): Network calls are browser fetch for modulepreload; dynamic code execution is React's standard JSX runtime — not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-C6aIgVqA.js | AI (source-diff): Standard Vite-minified browser polyfill bundle; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-B3_wIjTe.js | AI (source-diff): Network calls are fetch() for modulepreload; dynamic code is React's Symbol-based element creation — normal frontend bundle pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B3_wIjTe.js | AI (source-diff): Standard Vite production bundle containing React and UI components; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-Bucb1FRz.js | AI (source-diff): Standard Vite-minified bundle output; browser-ponyfill is a well-known fetch polyfill. | ai | |
| source-diff | net-exec-file:dist/assets/index-CpQGPWA0.js | AI (source-diff): Network calls are modulepreload fetch polyfill; dynamic code is React rendering — normal frontend bundle pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CpQGPWA0.js | AI (source-diff): Standard Vite production bundle containing React and UI code; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-b3LvLXPF.js | AI (source-diff): Standard Vite-minified browser polyfill bundle; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-BK54fEpJ.js | AI (source-diff): Network calls and dynamic code in a browser bundle are normal React/Vite patterns (fetch for modulepreload, dynamic imports). | ai | |
| source-diff | obfuscated-file:dist/assets/index-BK54fEpJ.js | AI (source-diff): Vite-bundled React production build; long lines are standard minification, not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Dk6Gr15i.js | AI (source-diff): Standard Vite minified bundle output; readable identifiers and React/antd license headers confirm legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B7lULVzA.js | AI (source-diff): Standard Vite production bundle containing React and UI components; minification is expected. | ai | |
| source-diff | net-exec-file:dist/assets/index-B7lULVzA.js | AI (source-diff): Network calls are modulepreload fetch polyfill; no dynamic code execution beyond normal React rendering. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-BNS0WExu.js | AI (source-diff): Standard Vite-minified bundle output; browser-ponyfill is a well-known fetch polyfill. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-CP1-bH8M.js | AI (source-diff): Standard minified fetch polyfill bundled by Vite; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CIYAGHLc.js | AI (source-diff): Standard Vite production bundle containing React and UI components; minification is expected. | ai | |
| source-diff | net-exec-file:dist/assets/index-CIYAGHLc.js | AI (source-diff): Network calls are fetch() for module preloading; no dynamic code execution beyond normal React rendering. | ai | |
| source-diff | net-exec-file:dist/assets/index-BGRUHdu2.js | AI (source-diff): fetch + modulepreload in bundled browser code; not server-side exfiltration. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BGRUHdu2.js | AI (source-diff): Vite-bundled React app output; minification is standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-CtzvK0Gt.js | AI (source-diff): Vite-bundled fetch ponyfill; minified dist output is expected for this UI shell package. | ai | |
| source-diff | obfuscated-file:dist/assets/browser-ponyfill-Bp5UldbF.js | AI (source-diff): Standard Vite-minified browser polyfill bundle; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-GZ0DpkEA.js | AI (source-diff): Standard Vite-bundled frontend app (React, router, etc.); minification is expected for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-GZ0DpkEA.js | AI (source-diff): Network calls are modulepreload fetch polyfill; dynamic code execution is React's Symbol.for — normal browser bundle pattern. | ai | |
| source-diff | net-exec-file:dist/assets/index-weXi-MoA.js | AI (source-diff): Network calls are modulepreload fetch polyfill; dynamic execution is React's normal runtime — no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-weXi-MoA.js | AI (source-diff): Standard Vite/React production bundle; minification is expected for this UI shell package. | ai | |
| phantom-deps | phantom-dep:@akinon/icons | AI (phantom-deps): Same-org package; declared as a dependency in package.json, phantom detection is a false positive for this package. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 1.6.18 | 14 / 8 | |
| 1.6.16 | 14 / 8 | |
| 1.6.15 | 14 / 8 | |
| 1.6.13 | 14 / 8 | |
| 1.6.12 | 14 / 8 | |
| 1.6.11 | 14 / 8 | |
| 1.6.10 | 14 / 8 | |
| 1.6.9 | 14 / 8 | |
| 1.6.8 | 14 / 8 | |
| 1.6.7 | 14 / 8 | |
| 1.6.6 | 14 / 8 | |
| 1.6.5 | 14 / 8 | |
| 1.6.4 | 14 / 8 | |
| 1.6.3 | 14 / 8 | |
| 1.6.2 | 14 / 8 | |
| 1.6.1 | 14 / 8 | |
| 1.6.0 | 14 / 8 | |
| 1.5.4 | 14 / 8 | |
| 1.5.3 | 11 / 8 | |
| 1.5.2 | 11 / 8 | |
| 1.5.0 | 11 / 8 | |
| 1.4.0 | 11 / 8 | |
| 1.3.6 | 11 / 8 | |
| 1.3.5 | 11 / 8 | |
| 1.3.4 | 11 / 8 | |
| 1.3.3 | 11 / 8 | |
| 1.3.2 | 11 / 8 | |
| 1.3.1 | 11 / 7 | |
| 1.3.0 | 11 / 7 | |
| 1.2.0 | 11 / 7 | |
| 1.1.0 | 8 / 7 | |
| 1.0.0 | 12 / 7 |
v1.6.18
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.15
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.13
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.12
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.10
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.9
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.8
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.7
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.6
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.5
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.