@artel/artc
Артель Компилятор | Artel Compiler
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:build/chunk-7EMGC6AD.js | AI (source-diff): Large bundled build artifact for a compiler tool; network+exec pattern is from bundled Babel/TS runtime helpers, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-Y3SDLINT.js | AI (source-diff): Large bundled compiler output; net+exec pattern is inherent to a compiler/transpiler tool, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-HOEHBJ7R.js | AI (source-diff): Large bundled build artifact for a compiler tool; network+exec pattern is from bundled Babel/TS runtime helpers, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-S6SV63VD.js | AI (source-diff): Large bundled compiler artifact; network+exec pattern is from bundled language-server/compiler code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-6YPLDA76.js | AI (source-diff): Compiler/language-server bundle; network+code-exec pattern is inherent to this package's purpose, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-7D775S4V.js | AI (source-diff): Large bundled compiler artifact; sample shows standard TS polyfill boilerplate, not dropper/loader code. | ai | |
| source-diff | net-exec-file:build/chunk-TSATPA2U.js | AI (source-diff): Large bundled build artifact for a compiler package; network+exec pattern is from bundled toolchain code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-DB2CJDOL.js | AI (source-diff): Build bundle for a compiler package; network+exec pattern is from bundled compiler/LSP code, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-K3EBH7V6.js | AI (source-diff): Large bundled compiler output; network+exec pattern is from bundled toolchain code, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-FIIGCVSM.js | AI (source-diff): Large bundled compiler output; net+exec pattern is from bundled Babel/TS toolchain, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-O2F523M5.js | AI (source-diff): Large bundled build artifact with standard esbuild boilerplate; network+exec pattern is expected for a compiler package. | ai | |
| source-diff | net-exec-file:build/chunk-3PVSYUJV.js | AI (source-diff): Large bundled compiler artifact; sample shows standard build helpers, not malicious network+exec pattern. | ai | |
| source-diff | net-exec-file:build/chunk-4YMBG4SM.js | AI (source-diff): Compiler bundle artifact; sample shows standard esbuild/rollup helpers, not malicious network+exec pattern. | ai | |
| source-diff | net-exec-file:build/chunk-3JS4YG6N.js | AI (source-diff): Compiler/language-server build bundle; network+exec pattern is expected for this tool's functionality, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-VRGYQLZL.js | AI (source-diff): Compiler package; bundled build output with network/eval patterns is expected for a transpiler/compiler tool. | ai | |
| source-diff | net-exec-file:build/chunk-2Q4QKW7T.js | AI (source-diff): Large bundled compiler artifact; network+exec pattern is from bundled deps (Babel, TS, vscode-languageserver), not malware. | ai | |
| source-diff | net-exec-file:build/chunk-FCVCEIPF.js | AI (source-diff): 3MB esbuild bundle for a compiler package; sample shows standard decorator/async helpers, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-MN7XRSIB.js | AI (source-diff): Large bundled compiler artifact; sample shows standard build helpers, not malware patterns. | ai | |
| source-diff | net-exec-file:build/chunk-7EXJHYWX.js | AI (source-diff): Bundled compiler artifact; sample shows standard build helpers, not dropper/loader malware. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Babel deps are well-known transpiler packages consistent with compiler functionality. | ai | |
| source-diff | net-exec-file:build/chunk-ZV4RVSWH.js | AI (source-diff): Large bundled build artifact for a compiler tool; boilerplate JS helpers, not malware patterns. | ai | |
| source-diff | net-exec-file:build/chunk-SJFIPH42.js | AI (source-diff): Large bundled build artifact from established Artel compiler; network+exec pattern is from legitimate compiler/LSP functionality, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-ER3TEZSN.js | AI (source-diff): Bundled compiler output; esbuild/tsc artifact with standard async/decorator helpers, not dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-CWGZOWF7.js | AI (source-diff): Bundled compiler artifact; network+exec pattern comes from vscode-languageserver and compiler internals, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-MLUN6742.js | AI (source-diff): Compiler package; bundled chunk with network+exec patterns is expected for a language compiler/toolchain artifact. | ai | |
| source-diff | net-exec-file:build/chunk-CS2AK7Z7.js | AI (source-diff): Compiler package; large bundled build artifacts with network+exec patterns are expected and stable across versions. | ai | |
| source-diff | net-exec-file:build/chunk-PDVQZURU.js | AI (source-diff): Large bundled compiler artifact; network+exec pattern is from bundled LSP/compiler code, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-E72KEKQV.js | AI (source-diff): Large bundled compiler artifact; network/exec patterns are from bundled deps (vscode-languageserver, babel), not malicious dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-3VRPBHJN.js | AI (source-diff): Large bundled build artifact from a compiler project; network+exec pattern reflects bundled compiler/LSP code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-YNG6354X.js | AI (source-diff): Standard esbuild/rollup bundle for Artel Compiler; bundler boilerplate, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-LX6LUKPR.js | AI (source-diff): Bundled esbuild output for a compiler package; network+exec pattern is from legitimate async/fetch patterns in the bundle, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-EVYL6VFM.js | AI (source-diff): Large bundled compiler output (esbuild); network+exec pattern is from bundled deps, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-LD2OIYWC.js | AI (source-diff): Bundled compiler artifact; sample shows standard build helpers, not dropper/loader patterns. | ai | |
| source-diff | obfuscated-file:build/types/tree/Nodes.d.ts | AI (source-diff): Large .d.ts with long union type lines is expected for a compiler's AST node declarations. | ai | |
| source-diff | net-exec-file:build/chunk-RQOGIK5O.js | AI (source-diff): Compiler/transpiler tool; bundled Babel+TS internals legitimately combine network (LSP) and code execution (transform) patterns. | ai | |
| source-diff | net-exec-file:build/chunk-KCEJTV3Q.js | AI (source-diff): Large bundled build artifact from a compiler package; sample shows standard bundle boilerplate, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-Y77RKBXA.js | AI (source-diff): 4.6MB bundled compiler artifact; sample shows only standard bundler/decorator boilerplate, no actual network or eval patterns. | ai | |
| provenance | no-provenance | AI (provenance): Established package with consistent release history; lack of provenance is common and not a risk signal here. | ai | |
| phantom-deps | phantom-dep:vscode-json-languageservice | AI (phantom-deps): VSCode language service dep referenced via config, stable false positive. | ai | |
| phantom-deps | phantom-dep:jsonc-parser | AI (phantom-deps): Referenced in config files, stable false positive for this compiler package. | ai | |
| phantom-deps | phantom-dep:@vscode/l10n | AI (phantom-deps): VSCode tooling dep referenced via config, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-class-properties | AI (phantom-deps): Babel plugin loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-decorators | AI (phantom-deps): Babel plugin loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/generator | AI (phantom-deps): Babel packages are framework-scoped build deps, not directly imported at runtime. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): Babel packages are framework-scoped build deps, not directly imported at runtime. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Babel packages are framework-scoped build deps, not directly imported at runtime. | ai |
Versions (showing 51 of 56)
| Version | Deps | Published |
|---|---|---|
| 0.9.26016 | 14 / 3 | |
| 0.9.26003 | 14 / 3 | |
| 0.6.26039 | 14 / 3 | |
| 0.6.26038 | 14 / 3 | |
| 0.6.26035 | 14 / 3 | |
| 0.6.26034 | 14 / 3 | |
| 0.6.26032 | 14 / 3 | |
| 0.6.26031 | 14 / 3 | |
| 0.6.26030 | 14 / 3 | |
| 0.6.26029 | 14 / 3 | |
| 0.6.26028 | 14 / 3 | |
| 0.6.26027 | 14 / 3 | |
| 0.6.26026 | 14 / 3 | |
| 0.6.26025 | 14 / 3 | |
| 0.6.26024 | 14 / 3 | |
| 0.6.26023 | 14 / 3 | |
| 0.6.26022 | 14 / 3 | |
| 0.6.26017 | 14 / 2 | |
| 0.6.26015 | 14 / 2 | |
| 0.6.26014 | 14 / 2 | |
| 0.6.26010 | 14 / 2 | |
| 0.6.26009 | 14 / 2 | |
| 0.6.26008 | 14 / 2 | |
| 0.6.26006 | 14 / 2 | |
| 0.6.26004 | 14 / 2 | |
| 0.6.26003 | 14 / 2 | |
| 0.6.26001 | 14 / 2 | |
| 0.6.25290 | 14 / 2 | |
| 0.6.25286 | 11 / 2 | |
| 0.6.25283 | 11 / 2 | |
| 0.6.25279 | 11 / 2 | |
| 0.6.25278 | 11 / 2 | |
| 0.6.25277 | 11 / 2 | |
| 0.6.25276 | 11 / 2 | |
| 0.6.25275 | 11 / 2 | |
| 0.6.25273 | 11 / 2 | |
| 0.6.25271 | 11 / 2 | |
| 0.6.25270 | 11 / 2 | |
| 0.6.25266 | 11 / 2 | |
| 0.6.25256 | 11 / 2 | |
| 0.6.25254 | 11 / 2 | |
| 0.6.25248 | 11 / 2 | |
| 0.6.25247 | 11 / 2 | |
| 0.6.25243 | 11 / 2 | |
| 0.6.25242 | 11 / 2 | |
| 0.6.25239 | 11 / 2 | |
| 0.6.25238 | 11 / 2 | |
| 0.6.25237 | 11 / 2 | |
| 0.6.25232 | 11 / 2 | |
| 0.6.25229 | 11 / 2 | |
| 0.6.25228 | 11 / 2 |
v0.9.26016
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.26003
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26039
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26038
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26035
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26034
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26032
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26031
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26030
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26029
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26028
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26027
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26026
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26025
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26024
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26023
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26022
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26017
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26015
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26014
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26010
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26009
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26008
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26006
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26004
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26003
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26001
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25290
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25286
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25283
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25279
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.25278
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.25277
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25276
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25275
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25273
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25271
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25270
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25266
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25256
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25254
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25248
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25247
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25243
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25242
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25239
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25238
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25237
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25232
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25229
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25228
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.