@byteplus/veplayer-plugin
## 简介 `@volcengine/veplayer-plugin` 是基于 VepPlayer 的插件集合,为 VePlayer 提供更多扩展能力和解决方案。
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:esm/veplayer.strategy.rtm.adaptive.buffer.production.js | AI (source-diff): Bundled polyfill pattern. | ai | |
| source-diff | obfuscated-file:esm/veplayer.plugin.ad.development.js | AI (source-diff): Standard bundled/minified media plugin output; consistent with legitimate video player package pattern. | ai | |
| source-diff | obfuscated-file:umd/veplayer.plugin.ad.development.js | AI (source-diff): Standard bundled/minified media plugin output. | ai | |
| source-diff | obfuscated-file:esm/veplayer.plugin.ad.production.js | AI (source-diff): Standard minified production bundle for ad plugin. | ai | |
| source-diff | obfuscated-file:umd/veplayer.plugin.ad.production.js | AI (source-diff): Standard minified production bundle for ad plugin. | ai | |
| source-diff | net-exec-file:esm/veplayer.plugin.ad.production.js | AI (source-diff): Network calls are IMA SDK loading; dynamic code execution is Function('return this') global detection pattern in bundled polyfills. | ai | |
| source-diff | net-exec-file:umd/veplayer.plugin.ad.production.js | AI (source-diff): Same pattern as esm variant; legitimate IMA SDK integration. | ai | |
| source-diff | obfuscated-file:esm/veplayer.plugin.hlsjs.production.js | AI (source-diff): Bundled hls.js library; minification is expected. | ai | |
| source-diff | net-exec-file:esm/veplayer.plugin.hlsjs.production.js | AI (source-diff): hls.js bundle uses Function('return this') global detection; legitimate pattern. | ai | |
| source-diff | obfuscated-file:umd/veplayer.plugin.hlsjs.production.js | AI (source-diff): Bundled hls.js UMD variant; minification expected. | ai | |
| source-diff | net-exec-file:umd/veplayer.plugin.hlsjs.production.js | AI (source-diff): Same as ESM variant; legitimate hls.js bundle pattern. | ai | |
| source-diff | net-exec-file:esm/veplayer.strategy.base.development.js | AI (source-diff): Strategy module bundle; network+exec pattern from bundled polyfills. | ai | |
| source-diff | net-exec-file:umd/veplayer.strategy.base.development.js | AI (source-diff): Strategy module bundle; same pattern. | ai | |
| source-diff | obfuscated-file:esm/veplayer.strategy.base.production.js | AI (source-diff): Minified strategy bundle; expected for production build. | ai | |
| source-diff | net-exec-file:esm/veplayer.strategy.base.production.js | AI (source-diff): Bundled polyfill pattern; not malicious. | ai | |
| source-diff | obfuscated-file:umd/veplayer.strategy.base.production.js | AI (source-diff): Minified UMD strategy bundle. | ai | |
| source-diff | net-exec-file:umd/veplayer.strategy.base.production.js | AI (source-diff): Same bundled polyfill pattern. | ai | |
| source-diff | net-exec-file:esm/veplayer.strategy.rtm.adaptive.buffer.development.js | AI (source-diff): RTM adaptive buffer module; bundled polyfill pattern. | ai | |
| source-diff | net-exec-file:umd/veplayer.strategy.rtm.adaptive.buffer.development.js | AI (source-diff): Same pattern. | ai | |
| source-diff | obfuscated-file:esm/veplayer.strategy.rtm.adaptive.buffer.production.js | AI (source-diff): Minified production bundle. | ai | |
| bogus-package | bogus-package | AI (bogus-package): BytePlus SDK family; missing metadata is a style issue, not a risk signal — stable across versions. | ai |
v2.12.0
38 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiongxiong.001) than the most recent previously approved version (vcloud_fe) on 2026-06-02, but xiongxiong.001 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.