@knime/jsonforms
Internal JSON Forms integration for frontend KNIME projects
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/RichTextControl-qxb7TlZF.js | AI (source-diff): Minified Vite build output for a rich-text Vue component; long lines are expected bundle format. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-QqVBwk2Y.js | AI (source-diff): Standard Vite-bundled Vue component; no actual dropper/loader pattern present. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-B4sXG50p.js | AI (source-diff): Standard Vite-bundled Vue component; imports are from vue/lodash/date-fns, no actual network+exec payload. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-QqVBwk2Y.js | AI (source-diff): Minified Vite build output; long lines are expected bundle format for this package. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-BDEWXlve.js | AI (source-diff): Minified Vite bundle; code structure matches legitimate Vue component library, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DP_G9eeL.js | AI (source-diff): Minified Vite bundle with readable Vue component structure; long lines are expected for bundled output. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-BDEWXlve.js | AI (source-diff): Same Vite bundle pattern; code is clearly Vue component library output, not malware. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BKrpWptT.js | AI (source-diff): Vite-bundled Vue component output; network/exec pattern is Vue reactivity + standard JS, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-Dlr5vvag.js | AI (source-diff): Same Vite bundle pattern; false positive from bundled utility code. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-CWoV802y.js | AI (source-diff): Vite bundle with date-fns and Vue imports; no actual network calls or dynamic code execution. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-Dlr5vvag.js | AI (source-diff): Standard Vite minified ESM bundle; long lines from bundled lodash/date-fns utilities. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-kheYEifs.js | AI (source-diff): Standard Vite minified ESM bundle for a rich text control component. | ai | |
| source-diff | obfuscated-file:dist/index-Dyq6GaKc.js | AI (source-diff): Standard Vite minified ESM bundle; no obfuscation, just minified Vue component code. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-CrCHZCp7.js | AI (source-diff): Minified Vite build output; long lines are expected for bundled Vue components. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-9vUUhE9J.js | AI (source-diff): Minified Vite build output for a frontend library; long lines are expected bundled code. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-CrCHZCp7.js | AI (source-diff): Standard Vite-bundled ESM output; Vue component bundle misidentified as network+exec pattern. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BuFOMGSo.js | AI (source-diff): Standard Vite-bundled ESM output; Vue/lodash imports misidentified as network+exec pattern. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DUiVfobT.js | AI (source-diff): Standard Vite minified output; long lines are normal for bundled Vue components, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-C1gAECu3.js | AI (source-diff): Standard Vite minified output; long lines are normal for bundled Vue components, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-Jq9ukHjM.js | AI (source-diff): Vite-bundled Vue component chunk; no actual network fetch or eval — minified imports from sibling chunks only. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DUiVfobT.js | AI (source-diff): Vite-bundled Vue component chunk; no actual network fetch or eval — standard minified Vue/lodash bundle. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DH6GqUeF.js | AI (source-diff): Vite-bundled Vue component output; minified but not obfuscated, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DML-OwvR.js | AI (source-diff): Network/exec pattern is from bundled Vue/browser runtime code, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DML-OwvR.js | AI (source-diff): Vite-bundled Vue component output; minified but not obfuscated, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-BseRdW9f.js | AI (source-diff): Network/exec pattern is from bundled Vue runtime and lodash-es; no actual dropper behavior in sample. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-BseRdW9f.js | AI (source-diff): Standard Vite-minified Vue bundle; long lines are normal build output for this package. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DvYkBpzH.js | AI (source-diff): Standard Vite-minified Vue bundle; long lines are normal build output for this package. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-CvHKGQTr.js | AI (source-diff): Vite-minified ESM bundle; readable code, no obfuscation indicators. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-C5cOzVPC.js | AI (source-diff): Vite-bundled Vue/date-fns output; no actual network calls or dynamic exec in the sample — stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-nsJBcFCj.js | AI (source-diff): Minified Vite build artifact; long lines are normal bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DgGRklWy.js | AI (source-diff): Minified Vite build artifact for a Vue component; long lines are normal bundler output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-nsJBcFCj.js | AI (source-diff): Standard Vite-bundled Vue component output; no actual network fetch or eval present in samples. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-mOEGN5Ue.js | AI (source-diff): Standard Vite-bundled Vue/date-fns output; no actual network fetch or eval present in samples. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BlRVDpai.js | AI (source-diff): Bundle imports Vue reactivity and date-fns utilities; no actual network fetch or dynamic code execution present in sample. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-Do0etb2v.js | AI (source-diff): Bundle imports Vue/lodash utilities; no actual network fetch or dynamic code execution present in sample. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-Do0etb2v.js | AI (source-diff): Standard Vite-minified Vue component bundle; long lines are minification artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-Bk7bf81X.js | AI (source-diff): Standard Vite-minified Vue component bundle; long lines are minification artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-BQCvcmqS.js | AI (source-diff): Minified Vite build output for a UI component library; long lines are expected bundled code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-BoNZN7wg.js | AI (source-diff): Minified Vite build output for a UI component library; long lines are expected bundled code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-BQCvcmqS.js | AI (source-diff): Standard Vite-bundled ESM dist file; no actual network/exec payload, just minified Vue+utility code. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-wdKO5CDb.js | AI (source-diff): Standard Vite-bundled ESM dist file; no actual network/exec payload, just minified Vue+utility code. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_9a6ceb77_lang-lisURb-9.js | AI (source-diff): Minified Vite build output for a Vue component; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_9a6ceb77_lang-lisURb-9.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network calls or dynamic exec in sample. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-BFzX4elt.js | AI (source-diff): Minified Vite build output for a Vue component; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-Bjbd8EGK.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network calls or dynamic exec in sample. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-ASFeIuVd.js | AI (source-diff): Minified Vite bundle; same false-positive pattern as localTimeUtils. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-DndZYfl_.js | AI (source-diff): Minified Vite bundle; dynamic component resolution in Vue is not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-CLbVTo3I.js | AI (source-diff): Standard Vite minified output; long lines are expected in bundled dist files. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-ASFeIuVd.js | AI (source-diff): Standard Vite minified output; long lines are expected in bundled dist files. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-DuZjjKcZ.js | AI (source-diff): Minified Vite bundle; long lines are standard for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-CewLhW6l.js | AI (source-diff): Minified Vite build output for a rich text editor component; long lines are expected bundler output. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-DuZjjKcZ.js | AI (source-diff): Same pattern: standard Vite bundle with Vue dynamic component resolution, not network+exec malware. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-CjAdGq92.js | AI (source-diff): Vite-bundled Vue component; resolveDynamicComponent is a Vue API, not malware dropper pattern. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-B5X5KcA6.js | AI (source-diff): Sample shows standard Vite-bundled Vue/date-fns code; no actual network calls or dynamic exec present. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-f4_oWidN.js | AI (source-diff): Standard Vite minified bundle; long lines are minified Vue component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DkV_1bmO.js | AI (source-diff): Standard Vite minified bundle; long lines are minified Vue component code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-f4_oWidN.js | AI (source-diff): Vite-bundled ESM chunk; Vue runtime imports misidentified as network+exec; stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/DateTimeInput-DMWRo8Rw.js | AI (source-diff): Vite-bundled ESM chunk; Vue runtime imports misidentified as network+exec; stable pattern for this package. | ai | |
| npm-metadata | url-dep:v-calendar | AI (npm-metadata): KNIME-owned Bitbucket fork used only in devDependencies; no runtime impact on consumers. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-DuNRJy9L.js | AI (source-diff): Minified Vite build output for a Vue component library; long lines are expected bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-Cd0CGkK3.js | AI (source-diff): Minified Vite build output for a Vue component library; long lines are expected bundler output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-DuNRJy9L.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network+exec payload, just minified ESM imports. | ai | |
| source-diff | net-exec-file:dist/DateTimeInput-DTyyMh2m.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network+exec payload, just minified ESM imports. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-EKCgcK7i.js | AI (source-diff): Minified Vite build artifact; long lines are normal for bundled Vue component output. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-D-3Bt71E.js | AI (source-diff): Minified Vite build artifact; long lines are normal for bundled Vue component output. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-EKCgcK7i.js | AI (source-diff): Standard Vite-bundled Vue ESM output; no actual network fetch or eval patterns in the sample. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BcdHc4dG.js | AI (source-diff): Standard Vite-bundled Vue ESM output; no actual network fetch or eval patterns in the sample. | ai | |
| source-diff | large-new-source-files | AI (source-diff): KNIME component library; large number of split Vite chunks is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-CSDuFZoP.js | AI (source-diff): Minified Vite build output; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DboN_qGd.js | AI (source-diff): Minified Vite build output; long lines are normal for bundled Vue components. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-CSDuFZoP.js | AI (source-diff): Same pattern: bundled Vue/lodash code, no real network+exec payload. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-CutK8k0h.js | AI (source-diff): Standard Vite-bundled Vue component; no actual fetch/eval — analyzer fires on minified ESM imports. | ai | |
| phantom-deps | phantom-dep:@knime/rich-text-editor | AI (phantom-deps): Same-org dep used indirectly; stable false positive. | ai | |
| phantom-deps | phantom-dep:@knime/kds-components | AI (phantom-deps): Same-org dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@jsonforms/vue-vanilla | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:@floating-ui/vue | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:focus-trap-vue | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:@knime/styles | AI (phantom-deps): Same-org dep; declared and used within KNIME ecosystem. | ai | |
| phantom-deps | phantom-dep:@knime/utils | AI (phantom-deps): Same-org dep; declared and used within KNIME ecosystem. | ai | |
| phantom-deps | phantom-dep:tabbable | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai |
Versions (showing 51 of 83)
| Version | Deps | Published |
|---|---|---|
| 1.23.0 | 11 / 14 | |
| 1.21.19 | 12 / 14 | |
| 1.21.17 | 12 / 14 | |
| 1.21.15 | 12 / 14 | |
| 1.21.14 | 12 / 14 | |
| 1.21.12 | 14 / 16 | |
| 1.21.7 | 14 / 16 | |
| 1.21.0 | 14 / 16 | |
| 1.20.2 | 14 / 16 | |
| 1.20.1 | 14 / 16 | |
| 1.19.3 | 14 / 16 | |
| 1.19.1 | 14 / 16 | |
| 1.19.0 | 14 / 16 | |
| 1.18.14 | 14 / 16 | |
| 1.18.13 | 14 / 16 | |
| 1.18.12 | 14 / 16 | |
| 1.18.11 | 14 / 16 | |
| 1.18.10 | 14 / 16 | |
| 1.18.9 | 14 / 15 | |
| 1.18.8 | 14 / 15 | |
| 1.18.7 | 14 / 15 | |
| 1.18.6 | 14 / 15 | |
| 1.16.8 | 14 / 16 | |
| 1.16.7 | 14 / 16 | |
| 1.16.6 | 14 / 16 | |
| 1.16.5 | 14 / 16 | |
| 1.16.2 | 14 / 16 | |
| 1.16.1 | 14 / 16 | |
| 1.16.0 | 14 / 16 | |
| 1.15.46 | 14 / 16 | |
| 1.15.45 | 14 / 16 | |
| 1.15.44 | 14 / 16 | |
| 1.15.43 | 14 / 16 | |
| 1.15.42 | 13 / 16 | |
| 1.15.41 | 13 / 16 | |
| 1.15.40 | 13 / 16 | |
| 1.15.35 | 13 / 16 | |
| 1.15.34 | 13 / 16 | |
| 1.15.30 | 13 / 16 | |
| 1.15.29 | 13 / 16 | |
| 1.15.28 | 13 / 16 | |
| 1.15.25 | 13 / 16 | |
| 1.15.23 | 13 / 16 | |
| 1.15.22 | 13 / 16 | |
| 1.15.20 | 13 / 16 | |
| 1.15.19 | 13 / 16 | |
| 1.15.18 | 13 / 16 | |
| 1.15.17 | 13 / 16 | |
| 1.15.16 | 13 / 16 | |
| 1.15.15 | 13 / 16 | |
| 1.15.14 | 13 / 16 |
v1.23.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.19
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.17
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.21.12
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.7
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.3
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.1
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.9
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.8
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.7
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.8
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.7
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.6
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.5
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.46
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.45
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.44
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.43
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.42
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.41
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.35
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.34
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.20
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.19
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.17
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.16
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.15
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.