@bigbinary/neeto-editor
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/cjs/chunk-C-VxABfm.cjs.js | AI (source-diff): CJS equivalent of CSS-in-JS chunk; same benign pattern. | ai | |
| source-diff | net-exec-file:dist/chunk-BFKmIsWV.js | AI (source-diff): File contains axios HTTP calls and drag-drop DOM handlers; no dynamic code execution pattern. | ai | |
| source-diff | net-exec-file:dist/chunk-CeoqieEt.js | AI (source-diff): CSS-in-JS (stylis) processor bundled with React; no malicious network+exec pattern. | ai | |
| source-diff | obfuscated-file:dist/editor-output.js | AI (source-diff): Standard Rollup bundle output; minified CSS/JS lines are expected for this package. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): Standard Rollup bundle output; minified lines are expected for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-BJhk4N3E.js | AI (source-diff): Axios for file uploads + React rendering; legitimate editor functionality, not dropper malware. | ai | |
| source-diff | net-exec-file:dist/cjs/chunk-CdckCFos.cjs.js | AI (source-diff): CJS equivalent of ESM chunk; same legitimate file-upload + UI pattern. | ai | |
| source-diff | net-exec-file:dist/cjs/chunk-DjozIdFz.cjs.js | AI (source-diff): CJS equivalent of ESM chunk; same legitimate file-upload + UI pattern. | ai | |
| source-diff | net-exec-file:dist/chunk-zRPC4lVr.js | AI (source-diff): Axios for file uploads + React rendering; legitimate editor functionality, not dropper malware. | ai | |
| source-diff | obfuscated-file:dist/Editor.js | AI (source-diff): Standard Rollup bundle output; minified lines are expected for this package. | ai | |
| source-diff | obfuscated-file:dist/EditorContent.js | AI (source-diff): Standard Rollup bundle output; minified lines are expected for this package. | ai | |
| npm-metadata | url-dep:@bigbinary/s3-uploader | AI (npm-metadata): devDependency only; no runtime impact on consumers; consistent with BigBinary's internal tooling pattern. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 1.47.118 | 0 / 178 | |
| 1.47.117 | 0 / 178 | |
| 1.47.116 | 0 / 178 | |
| 1.47.115 | 0 / 178 | |
| 1.47.114 | 0 / 178 | |
| 1.47.113 | 0 / 178 | |
| 1.47.112 | 0 / 177 | |
| 1.47.111 | 0 / 163 | |
| 1.47.110 | 0 / 163 | |
| 1.47.109 | 0 / 163 | |
| 1.47.108 | 0 / 163 | |
| 1.47.107 | 0 / 163 | |
| 1.47.106 | 0 / 163 | |
| 1.47.105 | 0 / 163 | |
| 1.47.104 | 0 / 163 |
v1.47.118
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.117
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.116
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.115
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.47.114
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.113
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.112
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.111
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.110
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.109
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.47.108
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.47.107
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.47.106
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.47.105
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.47.104
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.