@elliemae/ssf-guest
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.8402b07b7960210b16bf.js | AI (source-diff): Network+exec pattern fires on normal webpack bundle; no dropper behavior evident in sample. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.8402b07b7960210b16bf.js | AI (source-diff): Standard webpack minified bundle with lodash; not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.978ed50e66c23bc975cd.js | AI (source-diff): Standard webpack bundle with visible lodash source; minification is expected for this package's dist output. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.978ed50e66c23bc975cd.js | AI (source-diff): Network+exec pattern in a webpack bundle is normal for a browser guest library; no dropper indicators in the sample. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.6a4579277563c043d276.js | AI (source-diff): Standard webpack bundle with lodash; minified output is expected for this package's build pipeline. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.6a4579277563c043d276.js | AI (source-diff): UMD bundle pattern with network calls is normal for this SSF guest library; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.dc017a38b78ac30a1aa3.js | AI (source-diff): Standard webpack minified bundle with source map; consistent with this package's established build pattern. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.dc017a38b78ac30a1aa3.js | AI (source-diff): UMD bundle with network calls is expected for a micro-frontend guest library; no dropper behavior present. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.386bd3b249e7baa53c5a.js | AI (source-diff): Network/exec pattern is from UMD wrapper + lodash utilities in a minified bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.386bd3b249e7baa53c5a.js | AI (source-diff): Standard webpack minified bundle with source map; consistent with this package's build output pattern. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.650afabac7fe99fb3a5b.js | AI (source-diff): Standard webpack bundle for an established Ellie Mae library; minification is expected build output. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.650afabac7fe99fb3a5b.js | AI (source-diff): UMD bundle pattern with network calls is normal for this ICE MT SSF guest library; no dropper behavior evident. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.70d35ed24daaaae84bd5.js | AI (source-diff): Standard webpack bundle with lodash; minification is expected for this dist artifact. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.70d35ed24daaaae84bd5.js | AI (source-diff): UMD bundle pattern; network+exec pattern is from bundled library code, not malware. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.ee124e1dde329168b45d.js | AI (source-diff): Heuristic fires on normal bundled XHR + function calls in a frontend library; no actual dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.ee124e1dde329168b45d.js | AI (source-diff): Standard webpack minified bundle for a frontend library; long lines are expected build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.7eac030a329ee1e7f98f.js | AI (source-diff): Standard webpack minified bundle with source map; lodash and UMD wrapper visible in sample. Expected artifact for this frontend library. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.7eac030a329ee1e7f98f.js | AI (source-diff): Network+exec pattern in a browser bundle is normal for a micro-frontend guest library; no dropper indicators in the sample. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.f5b295c7f5ba9c71436b.js | AI (source-diff): Network+eval pattern in a webpack bundle is expected for this micro-frontend library; no malicious payload visible. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.f5b295c7f5ba9c71436b.js | AI (source-diff): Standard webpack bundle with identifiable lodash source; minification is expected for this frontend library. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.717e29ef28e37af46c23.js | AI (source-diff): Minified webpack bundle with source map; standard build artifact for this package. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.717e29ef28e37af46c23.js | AI (source-diff): UMD bundle with dynamic require; no malicious network+exec pattern, just standard module loading. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.bb29d41c0e22d4dc6455.js | AI (source-diff): Standard webpack minified bundle with lodash license header; not obfuscated malware. Pattern is stable for this package. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.bb29d41c0e22d4dc6455.js | AI (source-diff): Network+exec pattern fires on webpack bundle's UMD wrapper; expected for a browser guest library, not a dropper. | ai | |
| phantom-deps | phantom-dep:@elliemae/pui-logrocket | AI (phantom-deps): Same-org dep; may be used indirectly via bundled dist rather than direct import. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.3aeb730fdd1156849f23.js | AI (source-diff): Standard webpack minified bundle with visible lodash license header; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.3aeb730fdd1156849f23.js | AI (source-diff): Network+exec pattern in a webpack bundle is expected for a guest library; no dropper indicators in sample. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.96a061c4db53d98ae977.js | AI (source-diff): Network+eval pattern is from webpack module loader boilerplate, not dropper malware. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.96a061c4db53d98ae977.js | AI (source-diff): Standard webpack minified bundle with lodash; long lines are expected build output for this package. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.8a0d46ec8fe865ab60ed.js | AI (source-diff): Standard webpack minified bundle with source map; lodash and UMD wrapper clearly visible. Not obfuscation. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.8a0d46ec8fe865ab60ed.js | AI (source-diff): Network+exec pattern in a frontend bundle is expected; no dropper behavior visible in sample. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.f079c1af6182dca7c93f.js | AI (source-diff): Network+eval pattern in a webpack bundle is a false positive for this package; no malicious payload evident. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.f079c1af6182dca7c93f.js | AI (source-diff): Standard webpack bundle for an established ICE/Ellie Mae library; minification is expected across all versions. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.89e5afb8f3f4bc7225e1.js | AI (source-diff): Network+exec pattern fires on UMD bundle boilerplate; no actual dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.89e5afb8f3f4bc7225e1.js | AI (source-diff): Standard webpack minified bundle from an established ICE/Ellie Mae build pipeline; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.965b40481782717c67fc.js | AI (source-diff): Network+exec pattern fires on webpack bundle boilerplate (UMD require/define); no actual dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.965b40481782717c67fc.js | AI (source-diff): Standard webpack minified bundle with UMD wrapper; not obfuscation. Pattern is stable for this package's build output. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.5e336ff598fec26bbf3c.js | AI (source-diff): Network+exec pattern is from UMD/webpack boilerplate, not dropper code. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.5e336ff598fec26bbf3c.js | AI (source-diff): Standard webpack bundle output; minified dist files are expected for this package. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfGuest.c7cb2a470c4afce20567.js | AI (source-diff): Standard webpack minified bundle output; content is recognizable lodash/utility code with UMD wrapper. | ai | |
| source-diff | net-exec-file:dist/public/js/emuiSsfGuest.c7cb2a470c4afce20567.js | AI (source-diff): Network+exec pattern in a browser bundle is expected for a micro-frontend guest library; no dropper indicators in sample. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal enterprise library; sparse README and no keywords are expected for org-scoped packages. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 2.28.6 | 3 / 3 | |
| 2.28.4 | 3 / 3 | |
| 2.28.3 | 3 / 3 | |
| 2.28.2 | 3 / 3 | |
| 2.28.1 | 3 / 3 | |
| 2.28.0 | 3 / 3 | |
| 2.25.3 | 3 / 3 | |
| 2.25.2 | 3 / 3 | |
| 2.25.1 | 3 / 3 | |
| 2.25.0 | 3 / 3 | |
| 2.23.7 | 3 / 3 | |
| 2.23.6 | 3 / 3 | |
| 2.23.4 | 3 / 3 | |
| 2.23.2 | 3 / 3 | |
| 2.22.3 | 3 / 3 | |
| 2.22.2 | 3 / 3 | |
| 2.22.1 | 3 / 3 | |
| 2.21.4 | 3 / 3 | |
| 2.21.2 | 4 / 4 | |
| 2.21.0 | 4 / 4 | |
| 2.20.3 | 4 / 4 | |
| 2.20.2 | 4 / 4 | |
| 2.19.2 | 3 / 3 | |
| 2.19.1 | 3 / 3 | |
| 2.19.0 | 3 / 3 | |
| 2.18.1 | 3 / 3 | |
| 2.17.4 | 3 / 3 | |
| 2.17.3 | 3 / 3 | |
| 2.17.1 | 3 / 3 | |
| 2.17.0 | 3 / 3 | |
| 2.16.6 | 3 / 3 |
v2.28.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.22.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.22.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.21.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.19.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.19.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.17.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.16.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.