@googlemaps/js-api-loader

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

google-wombotwangelakenoughcbaueratworkanglarettryanbaumann

Keywords

googlemaps

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/index.cjs	AI (source-diff): Rollup+Terser minified bundle; standard build output for this package.	ai	2026/05/18
source-diff	net-exec-file:dist/index.cjs	AI (source-diff): Library's purpose is to dynamically load Google Maps JS API via script injection.	ai	2026/05/18
publish-pattern	new-deps-added	AI (publish-pattern): @types/google.maps is the official types package for this library's domain.	ai	2026/05/18
dependencies	unvetted-dep:@types/google.maps	AI (dependencies): @types/google.maps is the official Google Maps TypeScript definitions package; well-known and legitimate in this context.	ai	2026/04/25
phantom-deps	phantom-dep:@types/google.maps	AI (phantom-deps): @types/* packages are convention-loaded by TypeScript and not directly imported; phantom-dep finding is a stable false positive for this package.	ai	2026/04/25
publish-pattern	dormant-publish	AI (publish-pattern): Major version bump (v1→v2) from Google's official publisher bot explains the long gap; not indicative of account takeover.	ai	2026/04/25
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers appear to be Google Maps platform engineers; published via Google's wombat proxy with official repo URL confirming legitimacy.	ai	2026/04/25

Versions (showing 5 of 5)

Version	Deps	Published
2.1.0	1 / 28	2026-06-03
2.0.2	1 / 27	2025-10-29
2.0.1	1 / 27	2025-09-30
2.0.0	1 / 27	2025-09-29
1.16.8	0 / 27	2024-07-30

v2.1.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO OSV query failed osv

Unexpected character ('<' (code 60)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 2, column: 1]

v2.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

3 findings

HIGH New obfuscated file: dist/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.16.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.