@livekit/components-react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/shared-9gJpzp77.js | AI (source-diff): Standard Vite/Rollup minified bundle output; code is readable LiveKit/React logic, not obfuscated. | ai | |
| source-diff | net-exec-file:dist/components-CwZ8kStA.mjs | AI (source-diff): Network calls are LiveKit WebRTC API usage; dynamic code execution is React createElement — no dropper pattern. | ai | |
| source-diff | net-exec-file:dist/shared-CmjH0W2G.js | AI (source-diff): Network calls are LiveKit WebRTC API usage; dynamic code execution is React createElement — no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/components-CwZ8kStA.mjs | AI (source-diff): Standard Vite/Rollup minified bundle output; code is readable LiveKit/React component logic. | ai | |
| source-diff | obfuscated-file:dist/shared-jZUXaCo3.js | AI (source-diff): Standard Vite/Rollup minified bundle output; code is readable LiveKit/React logic, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared-CmjH0W2G.js | AI (source-diff): Standard Vite/Rollup minified bundle output; code is readable LiveKit/React logic, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared-BCAxwLPA.js | AI (source-diff): Standard Vite/Rollup minified bundle output; code is readable LiveKit/React logic, not obfuscated. | ai | |
| source-diff | net-exec-file:dist/shared-VrpP8d_K.js | AI (source-diff): Network calls are livekit-client WebRTC APIs; no dynamic code execution pattern present in samples. | ai | |
| source-diff | obfuscated-file:dist/shared-VrpP8d_K.js | AI (source-diff): Standard Vite/Rollup minified bundle output for this React library; not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/components-Bz2b1Fa9.mjs | AI (source-diff): Network calls are livekit-client WebRTC APIs; createElement is React rendering, not dynamic code execution. | ai | |
| source-diff | obfuscated-file:dist/components-Bz2b1Fa9.mjs | AI (source-diff): Standard Vite/Rollup minified ESM bundle for this React library. | ai | |
| source-diff | obfuscated-file:dist/shared-XaRFWxdm.js | AI (source-diff): Standard Vite/Rollup minified bundle output; floating-ui/positioning code visible in sample. | ai | |
| source-diff | obfuscated-file:dist/shared-CY0Qaqwj.js | AI (source-diff): Standard Vite/Rollup minified bundle output for this React library; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-BmMQPxKc.js | AI (source-diff): Standard Vite/Rollup minified bundle output for this React library; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-Dy7KtilJ.js | AI (source-diff): Vite-minified bundle; sample shows LiveKit room connection logic, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/components-DHWpi-op.mjs | AI (source-diff): Network calls are livekit-client WebRTC APIs; dynamic code is React createElement, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/shared-CHuuWXU-.js | AI (source-diff): Standard Vite minified bundle output for a React component library; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:dist/shared-DQInubaN.js | AI (source-diff): Vite-minified bundle; sample shows ResizeObserver, chat state reducer, standard React patterns. | ai | |
| source-diff | net-exec-file:dist/shared-CHuuWXU-.js | AI (source-diff): Network calls are livekit-client WebRTC APIs; dynamic code is normal React createElement/hooks patterns. | ai | |
| source-diff | obfuscated-file:dist/components-DHWpi-op.mjs | AI (source-diff): Vite-minified ESM bundle; sample shows forwardRef components and SVG icons, no malicious content. | ai | |
| source-diff | net-exec-file:dist/shared-CE6LDR4K.js | AI (source-diff): Network calls are LiveKit WebRTC API usage; no dynamic code execution (eval/Function constructor) present. | ai | |
| source-diff | obfuscated-file:dist/shared-CE6LDR4K.js | AI (source-diff): Standard Vite/Rollup minified bundle output; code is normal React/LiveKit UI components. | ai | |
| source-diff | obfuscated-file:dist/shared-Cxl3cIQC.js | AI (source-diff): Standard Vite/Rollup minified bundle output; floating-UI positioning logic, no malicious content. | ai | |
| source-diff | obfuscated-file:dist/shared-D3fcovJq.js | AI (source-diff): Standard Vite/Rollup minified bundle output; LiveKit room/hook logic, no malicious content. | ai | |
| source-diff | net-exec-file:dist/components-DKVkostq.mjs | AI (source-diff): Network calls are LiveKit WebRTC API usage; no dynamic code execution present in the sample. | ai | |
| source-diff | obfuscated-file:dist/shared-BLCMAVw2.js | AI (source-diff): Standard Vite/Rollup minified bundle output for a React component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components-DKVkostq.mjs | AI (source-diff): Standard Vite/Rollup minified ESM bundle; normal React component code. | ai | |
| source-diff | net-exec-file:dist/components-CU_md5RK.mjs | AI (source-diff): Network calls are React/LiveKit API usage; createElement is React rendering, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/shared-DZcVgX7j.js | AI (source-diff): Network calls are React/LiveKit API usage (matchMedia, ResizeObserver); createElement is React rendering, not code execution. | ai | |
| source-diff | obfuscated-file:dist/components-CU_md5RK.mjs | AI (source-diff): Standard Vite/Rollup minified bundle output; readable LiveKit/React code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-VEQdJrv0.js | AI (source-diff): Standard Vite/Rollup minified bundle output; readable LiveKit/React code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-DZcVgX7j.js | AI (source-diff): Standard Vite/Rollup minified bundle output; readable LiveKit/React code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-CGFYrEgQ.js | AI (source-diff): Standard Vite/Rollup minified bundle output; readable LiveKit/React code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-BpdYlR3A.js | AI (source-diff): Standard Vite/Rollup minified bundle output; readable LiveKit/React code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/components-k0KtCs0w.mjs | AI (source-diff): Network calls are LiveKit WebRTC API; no dynamic code execution present in samples. | ai | |
| source-diff | obfuscated-file:dist/components-k0KtCs0w.mjs | AI (source-diff): Standard minified Vite ESM bundle; code is readable React component definitions. | ai | |
| source-diff | obfuscated-file:dist/shared-DvBJFclv.js | AI (source-diff): Standard minified Vite bundle; code is floating-ui/positioning logic. | ai | |
| source-diff | obfuscated-file:dist/shared-CFk85O47.js | AI (source-diff): Standard minified Vite bundle; code is readable React hooks logic. | ai | |
| source-diff | net-exec-file:dist/shared-B-TxItyN.js | AI (source-diff): Network calls are WebRTC/LiveKit API usage; no dynamic code execution (eval/Function constructor) present. | ai | |
| source-diff | obfuscated-file:dist/shared-B-TxItyN.js | AI (source-diff): Standard Vite/Rollup minified bundle output for a React component library; no actual obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-ChGsM9Y7.js | AI (source-diff): Standard minified Vite bundle; code is readable React component logic. | ai | |
| source-diff | obfuscated-file:dist/components-BlAy1Aks.mjs | AI (source-diff): Standard Vite minified ESM bundle for React components; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-Bh0fNkvu.js | AI (source-diff): Standard Vite minified bundle output for this React library; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/shared-Bh0fNkvu.js | AI (source-diff): Network calls are livekit-client SDK usage; no dropper/loader pattern in sample. | ai | |
| source-diff | net-exec-file:dist/components-BlAy1Aks.mjs | AI (source-diff): Network calls are livekit-client SDK usage; no dropper/loader pattern in sample. | ai | |
| source-diff | obfuscated-file:dist/shared-BB7aiEfq.js | AI (source-diff): Standard vite-minified React/LiveKit bundle; long lines are normal minification output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/components-BeK2vIib.mjs | AI (source-diff): Network calls are LiveKit WebRTC API; no eval/dynamic execution in sampled code. | ai | |
| source-diff | obfuscated-file:dist/components-BeK2vIib.mjs | AI (source-diff): Minified React component bundle; long lines are normal vite minification. | ai | |
| source-diff | obfuscated-file:dist/shared-DXC9VBzT.js | AI (source-diff): Minified ResizeObserver/state utilities; standard build output. | ai | |
| source-diff | obfuscated-file:dist/shared-DimS3cEB.js | AI (source-diff): Minified LiveKit room/hook logic; standard build output. | ai | |
| source-diff | obfuscated-file:dist/shared-BVVr9jJ4.js | AI (source-diff): Minified floating-UI/positioning logic bundled by vite; expected build artifact. | ai | |
| source-diff | net-exec-file:dist/shared-BB7aiEfq.js | AI (source-diff): Network calls are LiveKit WebRTC API usage; no dynamic code execution (eval/Function) present in sampled code. | ai | |
| source-diff | obfuscated-file:dist/shared-Bs34Ekar.js | AI (source-diff): Standard Vite-minified bundle output; samples show normal React/livekit-client code. | ai | |
| source-diff | net-exec-file:dist/components-DmY-A_LL.mjs | AI (source-diff): Network calls are livekit-client APIs; dynamic execution is React createElement — legitimate component library pattern. | ai | |
| source-diff | obfuscated-file:dist/components-DmY-A_LL.mjs | AI (source-diff): Standard Vite-minified ESM bundle; samples show React component wrappers. | ai | |
| source-diff | obfuscated-file:dist/shared-DWpF098-.js | AI (source-diff): Standard Vite-minified bundle; samples show LiveKit room/participant hook code. | ai | |
| source-diff | obfuscated-file:dist/shared-CQ-nEmIw.js | AI (source-diff): Standard Vite-minified bundle; samples show ResizeObserver and RxJS subscription patterns. | ai | |
| source-diff | net-exec-file:dist/shared-Bs34Ekar.js | AI (source-diff): Network calls are livekit-client WebRTC APIs; dynamic execution is React createElement — no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/shared-B7S62mm5.js | AI (source-diff): Standard Vite-minified bundle output for this React component library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-CJDltH4I.js | AI (source-diff): Standard Vite minified bundle output for this React UI library; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/components-DqcPwJ_9.mjs | AI (source-diff): Network calls are livekit-client WebRTC API; dynamic code is React createElement — normal for this package. | ai | |
| source-diff | obfuscated-file:dist/components-DqcPwJ_9.mjs | AI (source-diff): Standard Vite minified ESM bundle; React component definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-Pblsvaeh.js | AI (source-diff): Standard Vite minified bundle output for this React UI library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-IFvGP0Zf.js | AI (source-diff): Standard Vite minified bundle output; floating-UI/positioning logic, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/shared-CJDltH4I.js | AI (source-diff): Network calls are livekit-client WebRTC API; dynamic code is React createElement — normal for this package. | ai | |
| source-diff | obfuscated-file:dist/shared-BKTd9Oqq.js | AI (source-diff): Standard Vite minified bundle output for this React UI library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared-BdB9GPUj.js | AI (source-diff): Standard minified build output for a React component library; no obfuscation or malicious patterns. | ai | |
| source-diff | net-exec-file:dist/components-B0PMXyIS.mjs | AI (source-diff): Network calls are livekit-client WebRTC APIs; no malicious execution patterns. | ai | |
| source-diff | obfuscated-file:dist/components-B0PMXyIS.mjs | AI (source-diff): Standard minified ESM build output; normal React component patterns. | ai | |
| source-diff | net-exec-file:dist/shared-BdB9GPUj.js | AI (source-diff): Network calls are livekit-client WebRTC APIs; no dropper/loader patterns in the sample. | ai | |
| source-diff | obfuscated-file:dist/shared-I8hFcrmp.js | AI (source-diff): Standard minified build output; samples show normal React hooks and ResizeObserver usage. | ai | |
| source-diff | net-exec-file:dist/shared-DsGkPi0_.js | AI (source-diff): Network calls are livekit-client WebRTC APIs; dynamic code execution is React createElement — not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/shared-DsGkPi0_.js | AI (source-diff): Standard minified build output; samples show normal React/livekit-client code. | ai | |
| source-diff | obfuscated-file:dist/shared-BGiZtWPs.js | AI (source-diff): Standard minified build output for a React component library; no actual obfuscation. | ai | |
| source-diff | obfuscated-file:dist/components-Cc_gXqiR.mjs | AI (source-diff): Standard minified build output; samples show normal React component definitions. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher is GitHub Actions with SLSA provenance attestation; CI/CD publishing is the documented release process for this package. | ai | |
| source-diff | net-exec-file:dist/components-Cc_gXqiR.mjs | AI (source-diff): Network calls are livekit-client APIs; dynamic execution is React createElement — not malware. | ai | |
| phantom-deps | phantom-dep:jose | AI (phantom-deps): jose is a declared runtime dependency in package.json; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 2.9.21 | 5 / 23 | |
| 2.9.20 | 5 / 23 | |
| 2.9.19 | 5 / 23 | |
| 2.9.18 | 5 / 23 | |
| 2.9.17 | 5 / 22 | |
| 2.9.16 | 5 / 22 | |
| 2.9.15 | 3 / 19 | |
| 2.9.14 | 3 / 19 | |
| 2.9.13 | 3 / 19 | |
| 2.9.12 | 3 / 19 | |
| 2.9.11 | 3 / 19 | |
| 2.9.10 | 3 / 19 | |
| 2.9.9 | 3 / 19 | |
| 2.9.8 | 3 / 19 | |
| 2.9.7 | 3 / 19 | |
| 2.9.6 | 3 / 19 | |
| 2.9.5 | 3 / 19 | |
| 2.9.4 | 3 / 19 |
v2.9.21
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.19
8 findingsThis version was published by a different npm account than previous versions on 2026-01-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.18
8 findingsThis version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.15
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.14
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.13
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.12
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.11
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.10
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.9
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.8
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.7
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.6
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.