@factorialco/f0-react
F0 represents a transformative reboot of the visual language for the Factorial platform. Its core mission is to enhance consistency and coherence across Factorial's user interface, while ensuring a quick, efficient, and delightful user and developer exper
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/useDataCollectionSource-D0ocv9zW.js | AI (source-diff): Standard Vite minified bundle; long lines are from bundling, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/F0AiProposalCard-CfICNrar.js | AI (source-diff): React component bundle with CopilotKit imports; no dropper/loader behavior present. | ai | |
| source-diff | net-exec-file:dist/useDataCollectionSource-D0ocv9zW.js | AI (source-diff): React component bundle with CopilotKit imports; no dropper/loader behavior present. | ai | |
| source-diff | obfuscated-file:dist/F0AiProposalCard-CfICNrar.js | AI (source-diff): Standard Vite minified bundle; long lines are from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/F0AiChat-DCBZKVBj.js | AI (source-diff): Vite-minified React bundle for AI chat component; standard build output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/F0AiChat-DCBZKVBj.js | AI (source-diff): Network calls are CopilotKit API interactions; no dynamic code execution pattern in sample. | ai | |
| source-diff | obfuscated-file:dist/F0AiChat-BXsgsBJi.js | AI (source-diff): Standard minified React bundle; readable imports confirm legitimate CopilotKit AI chat component, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-DtigCLJb.js | AI (source-diff): Standard minified bundle output from Vite build; readable import structure confirms legitimate component library code. | ai | |
| source-diff | net-exec-file:dist/F0AiChat-BXsgsBJi.js | AI (source-diff): Network calls are CopilotKit AI API calls; no dynamic code execution beyond normal React rendering patterns. | ai | |
| source-diff | net-exec-file:dist/F0AiChat-BoBl_LAm.js | AI (source-diff): Network calls are CopilotKit API calls; dynamic code execution is React's createElement — no dropper pattern present. | ai | |
| source-diff | obfuscated-file:dist/F0AiChat-BoBl_LAm.js | AI (source-diff): Minified build output for a React AI chat component; standard bundler output for this design system package. | ai | |
| source-diff | net-exec-file:dist/F0CanvasPanel-EblUp6hE.js | AI (source-diff): Network calls and dynamic code in bundled React component library are normal; no dropper/loader pattern present. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-DsmyWSV7.js | AI (source-diff): Standard Vite/Rollup minified bundle; long lines are import re-exports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/useChatHistory-6qTtYcQc.js | AI (source-diff): Standard Vite/Rollup minified bundle; long lines are import re-exports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/F0CanvasPanel-EblUp6hE.js | AI (source-diff): Standard Vite/Rollup minified bundle output; not obfuscation. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:echarts-for-react | AI (phantom-deps): Bundled library false positive. | ai | |
| source-diff | net-exec-file:dist/F0CanvasPanel-DNz4nej5.js | AI (source-diff): Network calls are CopilotKit AI API calls; dynamic code execution is React's createElement — expected for this component library. | ai | |
| source-diff | obfuscated-file:dist/F0AiTableCard-8ATpfNg4.js | AI (source-diff): Standard Vite bundle output with readable React/tiptap imports; long lines are minified but not malicious. | ai | |
| source-diff | obfuscated-file:dist/F0CanvasPanel-DNz4nej5.js | AI (source-diff): Standard Vite bundle; imports are from known packages (react, copilotkit, react-dom). Not obfuscated malware. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/core | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:remark-parse | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:y-protocols | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:aria-hidden | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/pm | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:unified | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:colord | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:xlsx | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:vaul | AI (phantom-deps): Same as above — bundled library false positive. | ai | |
| phantom-deps | phantom-dep:yjs | AI (phantom-deps): Bundled component library; deps are tree-shaken into dist, phantom-dep heuristic is unreliable here. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-Dutz5gMZ.js | AI (source-diff): Standard Vite bundle with readable React/tiptap/radix imports; minified but not obfuscated. | ai | |
| phantom-deps | phantom-dep:y-prosemirror | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:@reactuses/core | AI (phantom-deps): Bundled library false positive. | ai | |
| phantom-deps | phantom-dep:remark-rehype | AI (phantom-deps): Bundled library false positive. | ai | |
| source-diff | obfuscated-file:dist/F0AiProposalCard-CsyaQRNb.js | AI (source-diff): Standard Vite minified bundle with readable React/CopilotKit imports; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/useDataCollectionSource-DRE8x9t0.js | AI (source-diff): Same pattern as above — CopilotKit AI integration with React; not dropper/loader behavior. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-DRE8x9t0.js | AI (source-diff): Standard Vite minified bundle; imports from react, react-dom, @copilotkit packages are clearly visible and legitimate. | ai | |
| source-diff | net-exec-file:dist/F0AiProposalCard-CsyaQRNb.js | AI (source-diff): Network calls are CopilotKit AI API calls; dynamic code execution is React createElement — normal UI library pattern. | ai | |
| source-diff | net-exec-file:dist/F0CanvasPanel-8cFWNhbQ.js | AI (source-diff): Network calls and dynamic code in a UI component library bundle are expected; no dropper pattern in sample. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-CeczsYtn.js | AI (source-diff): Minified Vite bundle with recognizable react imports; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/useChatHistory-BLSpXWfe.js | AI (source-diff): Minified Vite bundle with recognizable react/tiptap imports; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/F0CanvasPanel-8cFWNhbQ.js | AI (source-diff): Standard Vite minified bundle; react/radix/tiptap imports visible in sample — not obfuscation. | ai | |
| source-diff | net-exec-file:dist/F0CanvasPanel-DAJcyyFM.js | AI (source-diff): Network calls and dynamic code in minified React bundle are normal for a component library; no dropper pattern visible. | ai | |
| source-diff | obfuscated-file:dist/F0CanvasPanel-DAJcyyFM.js | AI (source-diff): Standard Vite/Rollup minified bundle output; readable React imports confirm legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/useChatHistory-D1pjDBvO.js | AI (source-diff): Minified Vite bundle with readable React/tiptap imports; consistent with legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-CjRrXJC3.js | AI (source-diff): Minified Vite bundle with readable React imports; consistent with legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/F0AiProposalCard-Dm9l3Kgu.js | AI (source-diff): Standard Vite/Rollup minified bundle output; long lines are expected for this component library. | ai | |
| source-diff | net-exec-file:dist/useDataCollectionSource-DXKGQFzT.js | AI (source-diff): Network calls are CopilotKit/React API usage in a UI component bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-DXKGQFzT.js | AI (source-diff): Standard Vite/Rollup minified bundle output; long lines are expected for this component library. | ai | |
| source-diff | net-exec-file:dist/F0AiProposalCard-Dm9l3Kgu.js | AI (source-diff): Network calls are CopilotKit/React API usage in a UI component bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/F0CanvasPanel-v9tjaOnW.js | AI (source-diff): Standard Vite-bundled minified output; imports are clearly React/CopilotKit/radix-ui, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/F0CanvasPanel-v9tjaOnW.js | AI (source-diff): Network calls are CopilotKit AI SDK integration; no dynamic code execution beyond normal React rendering. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-BzwXcIpi.js | AI (source-diff): Standard Vite-bundled minified output; long lines are tree-shaken import aliases. | ai | |
| source-diff | obfuscated-file:dist/F0AiTableCard-BzXULBvr.js | AI (source-diff): Standard Vite-bundled minified output; long lines are tree-shaken import aliases, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/F0AiChat-DIqM2tSl.js | AI (source-diff): Network calls are CopilotKit AI API calls; no dynamic code execution pattern found in sample. | ai | |
| source-diff | obfuscated-file:dist/F0AiChat-DIqM2tSl.js | AI (source-diff): Large bundled React/CopilotKit UI component; minification is expected for this design-system package. | ai | |
| source-diff | obfuscated-file:dist/registry-BJ23uROr.js | AI (source-diff): Standard Vite-minified ESM bundle; samples show React/copilotkit/radix-ui imports, consistent with UI library build output. | ai | |
| source-diff | net-exec-file:dist/registry-BJ23uROr.js | AI (source-diff): Network calls are React component renders (CopilotKit AI integration); no dropper/loader pattern present in samples. | ai | |
| source-diff | obfuscated-file:dist/index-DiYIVlNi.js | AI (source-diff): Standard Vite-minified ESM bundle for a React UI library; samples show normal React imports, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/F0AiChat-D1bXbxjx.js | AI (source-diff): Network calls are CopilotKit AI API calls; dynamic execution is standard React rendering. No dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/F0AiChat-D1bXbxjx.js | AI (source-diff): Minified bundle of CopilotKit AI chat component; readable imports confirm legitimate UI code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-Dmd29pkw.js | AI (source-diff): Standard minified component bundle; long lines are import maps, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-DeiW759t.js | AI (source-diff): Standard Vite minified bundle; imports are clearly readable React/CopilotKit dependencies. | ai | |
| source-diff | obfuscated-file:dist/F0AiProposalCard-CDG2dAfX.js | AI (source-diff): Standard Vite minified bundle output for a React component library; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/F0AiProposalCard-CDG2dAfX.js | AI (source-diff): Network calls and dynamic code in bundled React/CopilotKit components; no dropper pattern. | ai | |
| source-diff | net-exec-file:dist/useDataCollectionSource-DeiW759t.js | AI (source-diff): Same bundle pattern; CopilotKit AI integration explains network + dynamic execution. | ai | |
| source-diff | obfuscated-file:dist/F0AiChat-C8H9OyiK.js | AI (source-diff): Standard minified React bundle for AI chat component; imports are clearly from @copilotkit and React. | ai | |
| source-diff | obfuscated-file:dist/index-CmGdjT42.js | AI (source-diff): Standard minified main bundle for a React UI library; no malicious indicators in sample. | ai | |
| source-diff | net-exec-file:dist/F0AiChat-C8H9OyiK.js | AI (source-diff): Network calls are CopilotKit AI API calls; code execution is React rendering — expected for an AI chat UI component. | ai | |
| source-diff | net-exec-file:dist/registry-BIy-0Gec.js | AI (source-diff): Network calls are @copilotkit AI SDK usage; no dynamic code execution pattern visible in sample. | ai | |
| source-diff | obfuscated-file:dist/registry-BIy-0Gec.js | AI (source-diff): Bundled registry feature with @copilotkit imports; minification is expected for this package type. | ai | |
| source-diff | obfuscated-file:dist/index-BhZqG8Ou.js | AI (source-diff): Standard Vite-bundled React component library output; minified but readable imports confirm legitimate code. | ai | |
| source-diff | net-exec-file:dist/F0AiChat-RHHqqqMC.js | AI (source-diff): Network calls and dynamic code in a bundled React+CopilotKit AI chat component; expected pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-D_fn_du2.js | AI (source-diff): Standard minified Vite build output; legitimate UI library bundle. | ai | |
| source-diff | obfuscated-file:dist/F0AiChat-RHHqqqMC.js | AI (source-diff): Standard Vite/Rollup minified bundle output for a React UI library; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/F0AiProposalCard-CzWoGKwm.js | AI (source-diff): Network calls are from @copilotkit/react-core UI library; no dropper pattern present. | ai | |
| source-diff | net-exec-file:dist/useDataCollectionSource-DTsD48r9.js | AI (source-diff): Network calls from @copilotkit libraries; consistent with AI sidebar feature addition. | ai | |
| source-diff | obfuscated-file:dist/F0AiProposalCard-CzWoGKwm.js | AI (source-diff): Standard Vite minified bundle; long lines are from bundled imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-DTsD48r9.js | AI (source-diff): Standard Vite minified bundle with legitimate React/CopilotKit imports. | ai | |
| source-diff | net-exec-file:dist/types-zUkcMLoO.js | AI (source-diff): React component library bundle; network/exec pattern is false positive from bundled fetch/eval-free UI code. | ai | |
| source-diff | obfuscated-file:dist/xlsx-Bedf3nwD.js | AI (source-diff): This is the bundled [email protected] library, a well-known spreadsheet package; minification is expected. | ai | |
| source-diff | net-exec-file:dist/useDataCollectionSource-BNMQa-mV.js | AI (source-diff): CopilotKit integration bundle; network calls are legitimate AI chat API usage, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/useDataCollectionSource-BNMQa-mV.js | AI (source-diff): Minified Vite bundle with CopilotKit/React imports; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/types-zUkcMLoO.js | AI (source-diff): Standard Vite/Rollup minified bundle output; long lines are import maps, not obfuscation. | ai |
Versions (showing 35 of 35)
| Version | Deps | Published |
|---|---|---|
| 2.39.1 | 84 / 74 | |
| 2.30.2 | 84 / 74 | |
| 2.25.0 | 84 / 74 | |
| 2.22.0 | 84 / 74 | |
| 2.20.1 | 84 / 74 | |
| 2.19.1 | 84 / 74 | |
| 2.14.5 | 84 / 73 | |
| 2.8.0 | 84 / 73 | |
| 2.2.0 | 84 / 73 | |
| 1.471.0 | 84 / 73 | |
| 1.470.1 | 84 / 73 | |
| 1.469.0 | 84 / 73 | |
| 1.468.0 | 84 / 73 | |
| 1.467.0 | 84 / 73 | |
| 1.466.1 | 84 / 73 | |
| 1.466.0 | 84 / 73 | |
| 1.465.0 | 84 / 73 | |
| 1.464.2 | 84 / 73 | |
| 1.464.1 | 84 / 73 | |
| 1.464.0 | 84 / 73 | |
| 1.463.0 | 84 / 73 | |
| 1.462.0 | 84 / 73 | |
| 1.459.1 | 84 / 73 | |
| 1.459.0 | 84 / 73 | |
| 1.458.1 | 84 / 73 | |
| 1.457.0 | 84 / 73 | |
| 1.454.0 | 84 / 73 | |
| 1.444.0 | 84 / 73 | |
| 1.438.2 | 84 / 73 | |
| 1.429.0 | 84 / 73 | |
| 1.427.0 | 84 / 72 | |
| 1.425.4 | 84 / 72 | |
| 1.425.2 | 84 / 72 | |
| 1.425.1 | 84 / 72 | |
| 1.425.0 | 84 / 72 |
v2.39.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.5
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.470.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.469.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.468.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.467.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.466.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.466.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.465.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.464.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.464.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.464.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.463.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.462.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.459.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.459.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.458.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.457.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.454.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.444.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.438.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.429.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.427.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.425.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.425.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.425.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.425.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.