@inploi/plugin-chatbot
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-8b83b99d.js | AI (source-diff): Standard Vite/Rollup minified output; readable logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/chatbot-body-46d6ae0c.js | AI (source-diff): Standard Vite/Rollup minified output; readable logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/index-002c5e40.cjs | AI (source-diff): Standard Vite/Rollup minified output; valibot validation code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/chatbot-body-92fd0d1f.cjs | AI (source-diff): Standard Vite/Rollup minified output; readable logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/chatbot-body-f1401333.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output for this UI plugin; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-d80370e4.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; lodash + inploi SDK internals. | ai | |
| source-diff | net-exec-file:dist/index-05d5a78d.js | AI (source-diff): Same pattern as CJS counterpart; no dropper behavior. | ai | |
| source-diff | net-exec-file:dist/index-d80370e4.cjs | AI (source-diff): Network calls target inploi platform endpoints; dynamic code is Function('return this') global detection idiom from lodash. | ai | |
| source-diff | obfuscated-file:dist/index-05d5a78d.js | AI (source-diff): Standard Vite/Rollup minified ESM bundle; same pattern as CJS counterpart. | ai | |
| source-diff | obfuscated-file:dist/index-5220abff.cjs | AI (source-diff): Standard Vite/Rollup minified build output; lodash utility patterns visible in samples. | ai | |
| source-diff | obfuscated-file:dist/chatbot-body-23ad6c41.cjs | AI (source-diff): Standard Vite/Rollup minified build output; readable chatbot logic visible in samples. | ai | |
| source-diff | obfuscated-file:dist/index-94ac185f.js | AI (source-diff): Standard Vite/Rollup minified build output; readable ESM lodash patterns in samples. | ai | |
| source-diff | net-exec-file:dist/index-5220abff.cjs | AI (source-diff): Network calls are SDK API calls; dynamic code execution is Function('return this') global detection pattern, not malware. | ai | |
| source-diff | net-exec-file:dist/index-94ac185f.js | AI (source-diff): Same pattern as CJS counterpart; Function('return this') is a standard cross-env global accessor. | ai | |
| source-diff | obfuscated-file:dist/chatbot-body-0fa03ac8.cjs | AI (source-diff): Standard Vite/Rollup minified CJS bundle; content is readable UI logic, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-803e84b9.js | AI (source-diff): Same pattern as CJS counterpart; Function('return this') is a standard globalThis polyfill. | ai | |
| source-diff | obfuscated-file:dist/index-803e84b9.js | AI (source-diff): Standard Vite/Rollup minified ESM bundle; content is readable utility code. | ai | |
| source-diff | net-exec-file:dist/index-4cbee407.cjs | AI (source-diff): Network calls are SDK API calls; dynamic code execution is Function('return this') global detection pattern, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-4cbee407.cjs | AI (source-diff): Standard Vite/Rollup minified CJS bundle; content is lodash utilities and SDK imports. | ai | |
| source-diff | obfuscated-file:dist/index-0b742038.cjs | AI (source-diff): Minified Vite/Rollup build output; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/chatbot-body-6eb29db1.cjs | AI (source-diff): Minified Vite/Rollup build output; stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/index-df69f83a.js | AI (source-diff): Same pattern as CJS counterpart; legitimate SDK usage. | ai | |
| source-diff | net-exec-file:dist/index-0b742038.cjs | AI (source-diff): Network calls are inploi SDK API calls; dynamic code execution is Function('return this') global detection pattern, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-df69f83a.js | AI (source-diff): Minified Vite/Rollup build output; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:cdn/index.js | AI (source-diff): cdn/index.js is a minified CDN build artifact produced by the documented build:cdn script; not obfuscation. | ai | |
| source-diff | net-exec-file:cdn/index.js | AI (source-diff): Network calls and dynamic patterns in cdn/index.js are part of the legitimate frontend bundle, not dropper behavior. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 10.0.0 | 0 / 48 | |
| 9.0.1 | 0 / 49 | |
| 9.0.0 | 0 / 49 | |
| 8.0.0 | 0 / 49 | |
| 7.1.1 | 0 / 49 | |
| 7.1.0 | 0 / 49 | |
| 7.0.3 | 0 / 49 | |
| 7.0.2 | 0 / 49 | |
| 7.0.1 | 0 / 49 | |
| 7.0.0 | 0 / 49 | |
| 6.0.0 | 0 / 49 | |
| 5.1.2 | 0 / 49 | |
| 5.1.1 | 0 / 49 |
v10.0.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.0
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.3
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.2
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.