@mandujs/core — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

oddeye

Keywords

manduframeworkagentaicode-generation

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:src/client/spa-nav-helper.ts	AI (source-diff): File is a documented, commented TypeScript SPA helper with intentionally minified inline JS — not obfuscated malware.	ai	2026/05/30
source-diff	net-exec-file:src/desktop/webview-fallback.ts	AI (source-diff): Documented bun:ffi fallback for webview-bun peer; legitimate FFI binding, not malware.	ai	2026/05/29
source-diff	net-exec-file:src/desktop/__tests__/worker.test.ts	AI (source-diff): Test file with mock emitters; no real network calls or dynamic exec — false positive for this package.	ai	2026/05/27
source-diff	net-exec-file:src/desktop/types.ts	AI (source-diff): Pure TypeScript type definitions; no network or exec code present.	ai	2026/05/27
source-diff	net-exec-file:src/desktop/window.ts	AI (source-diff): Lazy optional-peer FFI loader for webview-bun; legitimate desktop integration pattern.	ai	2026/05/27
source-diff	net-exec-file:src/desktop/worker.ts	AI (source-diff): Worker entry for Bun Webview; documented pattern, no malicious exec.	ai	2026/05/27
typosquat	typosquat.levenshtein:cors	AI (typosquat): @mandujs/core is a scoped framework package; 'core' vs 'cors' is coincidental, not impersonation.	ai	2026/04/30
semgrep	semgrep:dynamic-require	AI (semgrep): Loads user-specified middleware by path; documented plugin/middleware loader pattern.	ai	2026/04/30
semgrep	semgrep:etc-passwd-access	AI (semgrep): Fires in a test file asserting that path traversal to /etc/passwd is rejected — not credential harvesting.	ai	2026/04/30
semgrep	semgrep:silent-process-exec	AI (semgrep): Spawns a log-tailing viewer process in watcher.ts; documented dev-tool behavior, not a reverse shell.	ai	2026/04/30
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same watcher.ts log-tail spawn; same rationale as silent-process-exec.	ai	2026/04/30
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 127.0.0.1 is a localhost OAuth redirect URI — standard loopback pattern, not exfiltration.	ai	2026/04/30
semgrep	semgrep:env-bulk-read	AI (semgrep): Reads process.env to pass environment to child build process; standard build-tool pattern.	ai	2026/04/30

Versions (showing 51 of 101)

View all versions

Version	Deps	Published
0.54.2	5 / 1	2026-05-17
0.54.1	5 / 1	2026-05-17
0.54.0	5 / 1	2026-05-17
0.53.1	5 / 1	2026-04-30
0.53.0	5 / 1	2026-04-30
0.34.1	6 / 1	2026-04-20
0.33.1	6 / 1	2026-04-20
0.29.1	6 / 1	2026-04-20
0.28.0	6 / 1	2026-04-20
0.26.0	6 / 1	2026-04-20
0.23.0	6 / 1	2026-04-19
0.22.1	6 / 1	2026-04-19
0.21.0	6 / 1	2026-04-14
0.20.10	6 / 1	2026-04-13
0.20.9	6 / 1	2026-04-13
0.20.8	6 / 1	2026-04-13
0.20.7	6 / 1	2026-04-12
0.20.6	6 / 1	2026-04-12
0.20.5	6 / 1	2026-04-12
0.20.4	6 / 1	2026-04-12
0.20.3	6 / 1	2026-04-12
0.20.2	6 / 1	2026-04-12
0.20.1	6 / 1	2026-04-12
0.20.0	6 / 1	2026-04-12
0.19.2	6 / 1	2026-04-12
0.12.0	5 / 1	2026-02-05
0.11.0	4 / 1	2026-02-05
0.10.0	4 / 1	2026-02-04
0.9.46	4 / 1	2026-02-04
0.9.45	4 / 1	2026-02-04
0.9.44	4 / 1	2026-02-04
0.9.43	4 / 1	2026-02-03
0.9.42	4 / 1	2026-02-03
0.9.41	4 / 1	2026-02-03
0.9.40	4 / 1	2026-02-02
0.9.39	4 / 1	2026-02-02
0.9.38	4 / 1	2026-02-02
0.9.37	4 / 1	2026-02-02
0.9.31	2 / 1	2026-02-02
0.9.30	2 / 1	2026-02-02
0.9.29	2 / 1	2026-02-02
0.9.28	2 / 1	2026-02-02
0.9.27	2 / 1	2026-02-02
0.9.26	2 / 1	2026-02-02
0.9.25	2 / 1	2026-01-30
0.9.24	2 / 1	2026-01-30
0.9.23	2 / 1	2026-01-30
0.9.22	2 / 1	2026-01-30
0.9.21	2 / 1	2026-01-30
0.9.20	2 / 1	2026-01-30
0.9.19	2 / 1	2026-01-30

v0.54.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.54.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.54.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.53.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.53.0

12 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@mandujs/core' is 1 edit(s) away from popular package 'cors'.

HIGH etc-passwd-access: src/bundler/__tests__/url-cap-and-slot-regex.test.ts:178 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 176 | }); 177 | > 178 | test("[SLOT2] path traversal slotModule (`../../etc/passwd`) is rejected with warning", async () => { 179 | const warnings: string[] = []; 180 | const origWarn = console.warn;

HIGH etc-passwd-access: src/bundler/__tests__/url-cap-and-slot-regex.test.ts:192 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 190 | module: "app/page.tsx", 191 | componentModule: "app/page.tsx", > 192 | slotModule: "../../../etc/passwd", 193 | }, 194 | ],

HIGH etc-passwd-access: src/bundler/__tests__/url-cap-and-slot-regex.test.ts:219 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 217 | module: "app/page.tsx", 218 | componentModule: "app/page.tsx", > 219 | slotModule: "/etc/passwd", 220 | }, 221 | ],

HIGH etc-passwd-access: src/bundler/dev.ts:496 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 494 | // 495 | // Before 7.2 the code trusted `route.slotModule` verbatim and a > 496 | // tampered manifest with `slotModule: "../../../etc/passwd"` would 497 | // pollute `watchDirs` with directories outside the project root. 498 | // Downstream code (`bundledImport`, `registerHandlers`) already

HIGH silent-process-exec: src/watcher/watcher.ts:280 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 278 | if (process.platform === "win32") { 279 | // Windows: open new cmd window with PowerShell Get-Content -Wait > 280 | this.tailProcess = spawn("cmd", [ 281 | "/c", "start", 282 | "Mandu Watch",

HIGH silent-process-exec-var: src/watcher/watcher.ts:280 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 278 | if (process.platform === "win32") { 279 | // Windows: open new cmd window with PowerShell Get-Content -Wait > 280 | this.tailProcess = spawn("cmd", [ 281 | "/c", "start", 282 | "Mandu Watch",

HIGH silent-process-exec: src/watcher/watcher.ts:288 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 286 | } else if (process.platform === "darwin") { 287 | // macOS: open new Terminal.app tab > 288 | this.tailProcess = spawn("osascript", [ 289 | "-e", `tell application "Terminal" to do script "tail -f '${logFile}'"`, 290 | ], { detached: true, stdio: "ignore" });

HIGH silent-process-exec-var: src/watcher/watcher.ts:288 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 286 | } else if (process.platform === "darwin") { 287 | // macOS: open new Terminal.app tab > 288 | this.tailProcess = spawn("osascript", [ 289 | "-e", `tell application "Terminal" to do script "tail -f '${logFile}'"`, 290 | ], { detached: true, stdio: "ignore" });

HIGH silent-process-exec: src/watcher/watcher.ts:293 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 291 | } else { 292 | // Linux: try common terminal emulators > 293 | this.tailProcess = spawn("x-terminal-emulator", [ 294 | "-e", `tail -f '${logFile}'`, 295 | ], { cwd, detached: true, stdio: "ignore" });

HIGH silent-process-exec-var: src/watcher/watcher.ts:293 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 291 | } else { 292 | // Linux: try common terminal emulators > 293 | this.tailProcess = spawn("x-terminal-emulator", [ 294 | "-e", `tail -f '${logFile}'`, 295 | ], { cwd, detached: true, stdio: "ignore" });

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.34.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oddeye.

HIGH New obfuscated file: src/client/spa-nav-helper.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.33.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oddeye.

HIGH New obfuscated file: src/client/spa-nav-helper.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.29.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oddeye.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.28.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oddeye.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.26.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oddeye.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.23.0

7 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oddeye.

HIGH New file with network + code execution: src/desktop/__tests__/worker.test.ts source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: src/desktop/types.ts source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: src/desktop/webview-fallback.ts source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: src/desktop/window.ts source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: src/desktop/worker.ts source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.22.1

6 findings