@kb-labs/studio-app
KB Labs Studio application
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/main.9d8162c2.js | AI (source-diff): Webpack/rspack production bundle; minification is expected for this frontend app. | ai | |
| source-diff | net-exec-file:dist/main.9d8162c2.js | AI (source-diff): Bundled React app with fetch calls and eval-like patterns from webpack runtime; not malicious. | ai | |
| phantom-deps | phantom-dep:@ant-design/plots | AI (phantom-deps): Legitimate Ant Design dep; phantom-dep heuristic false positive for this bundled app package. | ai | |
| phantom-deps | phantom-dep:clsx | AI (phantom-deps): Well-known utility; phantom-dep heuristic false positive for this bundled app package. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Well-known date library; phantom-dep heuristic false positive for this bundled app package. | ai | |
| phantom-deps | phantom-dep:lucide-react | AI (phantom-deps): Well-known icon library; phantom-dep heuristic false positive for this bundled app package. | ai | |
| phantom-deps | phantom-dep:react-router-dom | AI (phantom-deps): Legitimate routing dep; phantom-dep heuristic false positive for this bundled app package. | ai | |
| phantom-deps | phantom-dep:@ant-design/icons | AI (phantom-deps): Legitimate Ant Design dep; phantom-dep heuristic false positive for this bundled app package. | ai | |
| phantom-deps | phantom-dep:@kb-labs/studio-hooks | AI (phantom-deps): Same-org sibling package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/studio-ui-kit | AI (phantom-deps): Same-org sibling package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/studio-ui-core | AI (phantom-deps): Same-org sibling package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/studio-devtools | AI (phantom-deps): Same-org sibling package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/studio-event-bus | AI (phantom-deps): Same-org sibling package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:react-resizable | AI (phantom-deps): Peer dep of react-grid-layout; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:react-grid-layout | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@ant-design/charts | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/qa-contracts | AI (phantom-deps): Same-org contract package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/agent-contracts | AI (phantom-deps): Same-org contract package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@types/react-grid-layout | AI (phantom-deps): Type definitions; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/quality-contracts | AI (phantom-deps): Same-org contract package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/rest-api-contracts | AI (phantom-deps): Same-org contract package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/release-manager-contracts | AI (phantom-deps): Same-org contract package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Declared runtime dep in a UI app; phantom-dep heuristic false positive. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Build config pattern: only forwards KB_-prefixed env vars into the bundle, not a credential leak. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:antd | AI (phantom-deps): Bundled app; antd used in compiled output, not directly imported in analyzed entry. | ai | |
| phantom-deps | phantom-dep:zustand | AI (phantom-deps): Bundled app pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:reactflow | AI (phantom-deps): Bundled app pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@kb-labs/studio-data-client | AI (phantom-deps): Same-org monorepo dep; bundled app pattern. | ai | |
| phantom-deps | phantom-dep:@kb-labs/workflow-contracts | AI (phantom-deps): Same-org monorepo dep; bundled app pattern. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): Bundled app pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query-devtools | AI (phantom-deps): Bundled app pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Bundled app ships compiled output; peer deps declared but not directly imported is expected. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Same as react — bundled app pattern. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Bundled app pattern; stable false positive for this package. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 2.94.0 | 34 / 19 | |
| 2.89.0 | 34 / 19 | |
| 2.16.0 | 34 / 19 | |
| 0.7.0 | 34 / 18 | |
| 0.6.0 | 34 / 18 |
v2.94.0
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: k.baranov.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.89.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.