← Home

@amsom-habitat/ui

npm
25
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amsom-habitat

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/index-DW6kT0Fx.js AI (source-diff): Vite-bundled Vue component library output; minification is expected. ai
source-diff net-exec-file:dist/index.es-BhzEj6YA.js AI (source-diff): Standard polyfill pattern (Function('return this')); no real network+exec threat. ai
source-diff encoded-string-file:dist/ui.umd.cjs AI (source-diff): UMD bundle with license text and TS helpers; not malicious payloads. ai
source-diff obfuscated-file:dist/html2canvas-CDGcmOD3.js AI (source-diff): Minified bundle of html2canvas library; standard Vite build output for this UI package. ai
source-diff obfuscated-file:dist/purify-BfsPID7W.js AI (source-diff): Minified bundle of DOMPurify library; standard Vite build output for this UI package. ai
source-diff net-exec-file:dist/index.es-BkqYVoOB.js AI (source-diff): Function('return this')() is core-js global detection; no actual network+exec malware pattern present. ai
phantom-deps phantom-dep:moment-timezone AI (phantom-deps): Likely used in bundled dist or re-exported; stable false positive for this package. ai
phantom-deps phantom-dep:vue-draggable-next AI (phantom-deps): Vue UI library; dep used in components bundled into dist. ai
phantom-deps phantom-dep:@amsom-habitat/date-utils AI (phantom-deps): Same org scope; used in bundled dist components. ai
phantom-deps phantom-dep:@amsom-habitat/file-utils AI (phantom-deps): Same org scope; used in bundled dist components. ai
phantom-deps phantom-dep:@amsom-habitat/amsom-modal AI (phantom-deps): Same org scope; used in bundled dist components. ai
phantom-deps phantom-dep:@amsom-habitat/amsom-table AI (phantom-deps): Same org scope; used in bundled dist components. ai
typosquat typosquat.levenshtein:uuid AI (typosquat): Scoped org package @amsom-habitat/ui; not a typosquat of uuid. ai
phantom-deps phantom-dep:@fortawesome/vue-fontawesome AI (phantom-deps): FontAwesome Vue integration; used in bundled dist. ai
phantom-deps phantom-dep:@fortawesome/fontawesome-svg-core AI (phantom-deps): FontAwesome core; used in bundled dist. ai
phantom-deps phantom-dep:@fortawesome/free-solid-svg-icons AI (phantom-deps): FontAwesome icons; used in bundled dist. ai
phantom-deps phantom-dep:@fortawesome/free-brands-svg-icons AI (phantom-deps): FontAwesome icons; used in bundled dist. ai
phantom-deps phantom-dep:@fortawesome/free-regular-svg-icons AI (phantom-deps): FontAwesome icons; used in bundled dist. ai
phantom-deps phantom-dep:@amsom-habitat/bootstrap-5 AI (phantom-deps): Same org scope; used in bundled dist components. ai
typosquat typosquat.levenshtein:pg AI (typosquat): Scoped org package; not a typosquat of pg. ai
typosquat typosquat.levenshtein:qs AI (typosquat): Scoped org package; not a typosquat of qs. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped org package; not a typosquat of joi. ai
typosquat typosquat.levenshtein:yup AI (typosquat): Scoped org package; not a typosquat of yup. ai
phantom-deps phantom-dep:pdf-merger-js AI (phantom-deps): UI library; deps may be re-exported or used in bundled dist without direct import in analyzed source. ai

Versions (showing 25 of 25)

Version Deps Published
2.20.22 13 / 16
2.20.21 13 / 16
2.20.20 13 / 16
2.20.19 13 / 16
2.20.15 14 / 18
2.20.14 14 / 18
2.20.13 14 / 18
2.20.12 14 / 18
2.20.11 14 / 18
2.20.10 14 / 18
2.20.9 14 / 18
2.20.8 13 / 18
2.20.7 12 / 18
2.20.6 12 / 18
2.20.5 12 / 18
2.20.4 12 / 18
2.20.3 12 / 18
2.19.2 12 / 18
2.19.1 12 / 18
2.19.0 12 / 18
2.18.0 12 / 18
2.16.0 12 / 18
2.15.2 12 / 18
2.15.1 12 / 18
2.15.0 12 / 18

v2.20.22

4 findings
HIGH New obfuscated file: dist/html2canvas-CDGcmOD3.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index.es-BkqYVoOB.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/purify-BfsPID7W.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.21

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.19

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.20.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.6

4 findings
HIGH New obfuscated file: dist/index-DW6kT0Fx.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index.es-BhzEj6YA.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH Long encoded string in modified file: dist/ui.umd.cjs source-diff

Modified file contains 17 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.20.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.20.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.19.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.19.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.19.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.18.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.16.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.15.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.15.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.15.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.