@bunny.net/datocms-plugin

Integrate bunny.net storage in your datocms

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

kevin_at_bunnyantho-bunnynotrabbogdan-at-bunny

Keywords

datocms-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/assets/index-D44cXLrA.js	AI (source-diff): Vite-minified frontend bundle for a DatoCMS plugin; minification is expected and benign for this package.	ai	2026/05/21
source-diff	net-exec-file:dist/assets/index-D44cXLrA.js	AI (source-diff): Network calls are fetch() for modulepreload; dynamic code is standard module pattern from Vite build, not dropper behavior.	ai	2026/05/21
phantom-deps	phantom-dep:lodash-es	AI (phantom-deps): Bundled output; lodash-es tree-shaken at build time, not directly imported in analyzed source.	ai	2026/05/07
phantom-deps	phantom-dep:datocms-react-ui	AI (phantom-deps): DatoCMS UI lib consumed in bundled dist; phantom-dep is a false positive for this build setup.	ai	2026/05/07
phantom-deps	phantom-dep:react	AI (phantom-deps): Vite-bundled plugin; React is consumed at build time and not directly imported in analyzed source.	ai	2026/05/07
phantom-deps	phantom-dep:@tanstack/react-virtual	AI (phantom-deps): Bundled Vite output; @tanstack/react-virtual consumed at build time.	ai	2026/05/07
phantom-deps	phantom-dep:datocms-plugin-sdk	AI (phantom-deps): DatoCMS SDK consumed in bundled dist; phantom-dep is a false positive for this build setup.	ai	2026/05/07
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): Same Vite-bundle pattern; react-dom consumed at build time.	ai	2026/05/07

Versions (showing 2 of 2)

Version	Deps	Published
0.1.0	6 / 9	2026-05-14
0.0.1	6 / 9	2026-05-01

v0.1.0

3 findings

HIGH New obfuscated file: dist/assets/index-D44cXLrA.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/assets/index-D44cXLrA.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.