@harperfast/harper-pro
Harper is a distributed database, caching service, streaming broker, and application development platform focused on performance and ease of use.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:studio/web/assets/status-ChxVrrli.js | AI (source-diff): Vite/Rolldown-bundled frontend asset for HarperDB Studio; minification is expected. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-D77bwywc.js | AI (source-diff): Vite/Rolldown-bundled frontend asset for HarperDB Studio; minification is expected. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-BJjklK4V.js | AI (source-diff): Vite/Rolldown-bundled frontend asset for HarperDB Studio; minification is expected. | ai | |
| source-diff | obfuscated-file:studio/web/assets/button-BqaHkv91.js | AI (source-diff): Vite/Rolldown-bundled frontend asset for HarperDB Studio; minification is expected. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-viz-DlC3nLj3.js | AI (source-diff): Bundled visualization vendor chunk for HarperDB Studio UI; patterns are from charting library internals. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-react-Cyct1o5I.js | AI (source-diff): Bundled React vendor chunk for HarperDB Studio UI; network+eval patterns are from React/axios internals. | ai | |
| source-diff | obfuscated-file:studio/web/assets/button-B_oawaxm.js | AI (source-diff): Vite/Rolldown bundled frontend asset for HarperDB Studio UI; minification is expected. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-viz-ZSCDRpol.js | AI (source-diff): Bundled visualization vendor chunk for Studio UI; standard minified library output. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-react-9UzkyydK.js | AI (source-diff): Bundled React vendor chunk for Studio UI; network+eval patterns are from React/library internals, not malware. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-CTVScYc8.js | AI (source-diff): Vite/Rolldown bundled frontend asset for HarperDB Studio UI; minification is expected. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-CYGLFi1u.js | AI (source-diff): Vite/Rolldown bundled frontend asset for HarperDB Studio UI; minification is expected. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-CgbKZc--.js | AI (source-diff): Vite/Rolldown bundled frontend asset for HarperDB Studio UI; minification is expected. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-Tv7e9k8K.js | AI (source-diff): Standard Vite/Rolldown minified bundle for HarperDB Studio UI; not malware. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-110CCE-v.js | AI (source-diff): Standard Vite/Rolldown minified bundle for HarperDB Studio UI; not malware. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-voeNsl4C.js | AI (source-diff): Standard Vite/Rolldown minified bundle for HarperDB Studio UI; not malware. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-26y1EUMG.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-BeDlmXju.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-CWeBJPXe.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-BIjBsaWw.js | AI (source-diff): Standard Vite/Rolldown minified bundle for HarperDB Studio UI; not malicious obfuscation. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-viz-Db_2kM67.js | AI (source-diff): Vite vendor bundle (visualization libs) for Studio UI; false positive. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-react-Dj1rnUQ4.js | AI (source-diff): Vite vendor bundle (React) for Studio UI; false positive. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-misc-DKMU5hOJ.js | AI (source-diff): Vite vendor bundle for Studio UI; false positive. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-core-f32UXcS5.js | AI (source-diff): Vite vendor bundle (axios, etc.) for Studio UI; network+eval pattern is false positive for bundled frontend code. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-BrfTnnpt.js | AI (source-diff): Standard Vite/Rolldown minified bundle for HarperDB Studio UI; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-Dyrp-ZIJ.js | AI (source-diff): Standard Vite/Rolldown minified bundle for HarperDB Studio UI; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/button-V4IQ8FFq.js | AI (source-diff): Standard Vite/Rolldown minified bundle for HarperDB Studio UI; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-KVqwJsbk.js | AI (source-diff): Standard Vite/Rolldown minified UI bundle; not obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-CKW3SZJG.js | AI (source-diff): Standard Vite/Rolldown minified UI bundle; not obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-DAsdweRg.js | AI (source-diff): Standard Vite/Rolldown minified UI bundle; not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New studio web UI build artifacts; expected for a full-stack database platform. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-react-DSi8mF-Y.js | AI (source-diff): Vite vendor bundle (React ecosystem); net-exec pattern is false positive for bundled UI libraries. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-viz-Bu6T8W_w.js | AI (source-diff): Vite vendor bundle (visualization libs); net-exec pattern is false positive for bundled UI libraries. | ai | |
| source-diff | obfuscated-file:studio/web/assets/button-Nyh_djVh.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-DfcUUI7w.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-IcGoxtBp.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-CxrkcGr7.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-core-D9powGyb.js | AI (source-diff): Vite vendor bundle (axios + utilities); network calls and dynamic patterns are standard bundled library code. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-misc-Ca8iItyG.js | AI (source-diff): Vite vendor bundle (floating-ui/popper etc.); net-exec pattern is false positive for bundled UI libraries. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-WCta5cFe.js | AI (source-diff): Vite/Rolldown minified frontend bundle; stable pattern for this package's studio UI. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-7-bH4Dg3.js | AI (source-diff): Vite/Rolldown minified frontend bundle; stable pattern for this package's studio UI. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-BjwD_EXc.js | AI (source-diff): Vite/Rolldown minified frontend bundle; stable pattern for this package's studio UI. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-core-8FI3Cbaa.js | AI (source-diff): Vendor bundle (axios + zod) for Studio UI; network calls and dynamic code are legitimate library patterns. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-misc-Bj3r0doz.js | AI (source-diff): Vendor bundle (floating-ui etc.) for Studio UI; not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:studio/web/assets/button-b8IkGZ_9.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-1vGw6eGc.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-viz-morXXTZA.js | AI (source-diff): Visualization vendor bundle for Studio UI; not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-DI-LWtGo.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-react-C3fPIb_V.js | AI (source-diff): React vendor bundle for Studio UI; not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-DQa37TIR.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio UI. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-qbLPhOzw.js | AI (source-diff): Vite-bundled studio UI asset with accompanying .js.map; standard minification for a web frontend, not obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-F3bEc3dt.js | AI (source-diff): Minified React UI component for user profile editing; no malicious indicators. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-CnVRDPsO.js | AI (source-diff): Minified React UI component for status/metrics display; no malicious indicators. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-DlmBuk_k.js | AI (source-diff): Standard Vite/Rolldown minified frontend bundle for HarperDB Studio; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-BAnbW0Rq.js | AI (source-diff): Standard Vite-bundled Studio UI asset; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-CFSLl1du.js | AI (source-diff): Standard Vite-bundled Studio UI asset; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-4WybhUdn.js | AI (source-diff): Standard Vite-bundled Studio UI asset; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-DEbcplKh.js | AI (source-diff): Vite-bundled frontend asset for HarperDB Studio; minification is expected for this package. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-viz-Cs-GQIim.js | AI (source-diff): Vite-bundled visualization vendor bundle (mermaid/charts) for Studio UI; no malicious patterns. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-react-DyY32duL.js | AI (source-diff): Vite-bundled React vendor bundle for Studio UI; standard minified React code. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-misc-DiaKLG2J.js | AI (source-diff): Vite-bundled vendor bundle for Studio UI; no malicious patterns in sample. | ai | |
| source-diff | net-exec-file:studio/web/assets/vendor-core-DlDjzdYO.js | AI (source-diff): Vite-bundled vendor bundle (axios, etc.) for Studio UI; network+eval pattern is from legitimate library code. | ai | |
| source-diff | obfuscated-file:studio/web/assets/status-DwYg6LpK.js | AI (source-diff): Vite-bundled frontend asset for HarperDB Studio; minification is expected. | ai | |
| source-diff | obfuscated-file:studio/web/assets/profile-DX5mq9gw.js | AI (source-diff): Vite-bundled frontend asset for HarperDB Studio; minification is expected. | ai | |
| provenance | no-provenance | AI (provenance): Established HarperDB publisher; absence of Sigstore attestation is common and not a risk signal here. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-DL0ibcSu.js | AI (source-diff): Standard Vite-minified bundle with source map; pattern is stable across studio UI releases of this package. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-Dq1Ma4KE.js | AI (source-diff): Standard Vite-bundled frontend asset for HarperDB Studio; minification is expected and the source map is included. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-BftP-yQ8.js | AI (source-diff): Standard Vite-minified frontend bundle with accompanying source map; expected for HarperDB Studio UI across all versions. | ai | |
| source-diff | obfuscated-file:studio/web/assets/index-C0And10y.js | AI (source-diff): Standard Vite-bundled web UI asset with accompanying source map; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:pino | AI (phantom-deps): Config-file reference; heuristic false positive for this large platform package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): jsLoader.ts is a documented JS module loader; dynamic require is the core feature, not a risk. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Database platform spreading process.env for subprocess execution (git SSH) is expected operational behavior. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding application payload tarballs from base64 is a documented deployment feature of this platform. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Server process management (stop.js) legitimately uses child_process; stable for this package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding in cryptoHash.js is standard AES decryption (IV + ciphertext); not obfuscation. | ai | |
| phantom-deps | phantom-dep:human-readable-ids | AI (phantom-deps): Config-file reference; heuristic false positive. | ai | |
| phantom-deps | phantom-dep:node-stream-zip | AI (phantom-deps): Config-file reference; heuristic false positive. | ai | |
| phantom-deps | phantom-dep:cli-progress | AI (phantom-deps): Config-file reference; heuristic false positive. | ai | |
| phantom-deps | phantom-dep:ulidx | AI (phantom-deps): Config-file reference; heuristic false positive. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 5.0.28 | 80 / 31 | |
| 5.0.27 | 80 / 31 | |
| 5.0.23 | 80 / 31 | |
| 5.0.21 | 80 / 31 | |
| 5.0.20 | 80 / 31 | |
| 5.0.19 | 80 / 31 | |
| 5.0.18 | 80 / 31 | |
| 5.0.14 | 80 / 31 | |
| 5.0.13 | 80 / 31 | |
| 5.0.12 | 80 / 31 | |
| 5.0.10 | 80 / 31 | |
| 5.0.9 | 80 / 31 | |
| 5.0.8 | 80 / 31 | |
| 5.0.7 | 80 / 31 | |
| 5.0.6 | 80 / 32 | |
| 5.0.5 | 80 / 31 | |
| 5.0.3 | 80 / 31 |
v5.0.28
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.27
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.23
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.21
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.20
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.19
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.18
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.14
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.13
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.12
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.