@chipstcp/digit-ui-module-obps

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

nayandhawananujsingh32yaweralichipsnpmuseranou1234saurabhsingh0001

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/index.modern.js	AI (source-diff): Network calls and dynamic code are from React/leaflet/react-query usage in a UI module bundle, not dropper behavior.	ai	2026/05/30
source-diff	source-size-tripled	AI (source-diff): Size increase is from adding the modern JS bundle and source maps; expected for this build toolchain.	ai	2026/05/30
source-diff	obfuscated-file:dist/index.modern.js	AI (source-diff): Long lines are from microbundle-generated ES module output, not obfuscation; stable pattern for this package.	ai	2026/05/30
phantom-deps	phantom-dep:exif-js	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:leaflet	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:react-modal	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:react-query	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:react-redux	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:lucide-react	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:react-i18next	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:microbundle-crl	AI (phantom-deps): Build tool listed in dependencies rather than devDependencies; not a runtime import.	ai	2026/05/17
phantom-deps	phantom-dep:react-hook-form	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:react-router-dom	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:@geoman-io/leaflet-geoman-free	AI (phantom-deps): Bundled UI module; geoman leaflet plugin declared but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:redux-thunk	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:jspdf	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:redux	AI (phantom-deps): Bundled UI module; deps declared in package.json but consumed via bundle, not direct imports.	ai	2026/05/17
phantom-deps	phantom-dep:react	AI (phantom-deps): React is a peer dependency in UI modules; commonly re-exported or used indirectly.	ai	2026/04/29
phantom-deps	phantom-dep:@chipstcp/digit-ui-react-components	AI (phantom-deps): Same-org scoped dependency; likely re-exported or used indirectly in module.	ai	2026/04/29
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): React-dom is a peer dependency; expected in UI library context.	ai	2026/04/29

Versions (showing 35 of 35)

Version	Deps	Published
1.0.53	17 / 0	2026-06-02
1.0.52	17 / 0	2026-05-29
1.0.51	17 / 0	2026-05-25
1.0.50	17 / 0	2026-05-22
1.0.49	17 / 0	2026-05-22
1.0.48	17 / 0	2026-05-21
1.0.43	17 / 0	2026-05-07
1.0.42	14 / 0	2026-04-27
1.0.41	17 / 0	2026-04-27
1.0.40	17 / 0	2026-04-27
1.0.39	17 / 0	2026-04-27
1.0.38	14 / 0	2026-04-26
1.0.37	17 / 0	2026-04-25
1.0.36	17 / 0	2026-04-25
1.0.35	17 / 0	2026-04-25
1.0.34	17 / 0	2026-04-25
1.0.33	14 / 0	2026-04-23
1.0.32	14 / 0	2026-04-21
1.0.31	14 / 0	2026-04-15
1.0.30	14 / 0	2026-04-14
1.0.29	14 / 0	2026-04-13
1.0.28	14 / 0	2026-04-08
1.0.27	14 / 0	2026-04-06
1.0.26	14 / 0	2026-04-01
1.0.25	14 / 0	2026-03-31
1.0.19	14 / 0	2026-03-16
1.0.18	14 / 0	2026-03-12
1.0.17	14 / 0	2026-03-10
1.0.16	14 / 0	2026-03-08
1.0.15	14 / 0	2026-03-06
1.0.14	14 / 0	2026-03-06
1.0.13	14 / 0	2026-03-06
1.0.12	14 / 0	2026-03-04
1.0.3	14 / 0	2026-02-13
1.0.0	14 / 0	2026-02-10

v1.0.53

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: yawerali → anou1234 (on 2026-06-02, known maintainer) provenance

This version was published by a different npm account (anou1234) than the most recent previously approved version (yawerali) on 2026-06-02, but anou1234 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v1.0.52

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.51

4 findings

HIGH New obfuscated file: dist/index.modern.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index.modern.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: yawerali → anou1234 (on 2026-05-25, known maintainer) provenance

This version was published by a different npm account (anou1234) than the most recent previously approved version (yawerali) on 2026-05-25, but anou1234 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v1.0.50

4 findings

HIGH New obfuscated file: dist/index.modern.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index.modern.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: yawerali → anou1234 (on 2026-05-22, known maintainer) provenance

This version was published by a different npm account (anou1234) than the most recent previously approved version (yawerali) on 2026-05-22, but anou1234 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v1.0.49

4 findings

HIGH New obfuscated file: dist/index.modern.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index.modern.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: yawerali → anou1234 (on 2026-05-22, known maintainer) provenance

This version was published by a different npm account (anou1234) than the most recent previously approved version (yawerali) on 2026-05-22, but anou1234 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v1.0.48

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.43

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.41

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.40

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.39

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.38

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.37

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.36

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.35

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.34

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.33

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.32

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.31

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.30

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.29

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.28

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.27

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.26

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.25

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.19

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.17

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.16

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.