@morphql/playground
Interactive playground for morphql - Test MorphQL queries in real-time.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/assets/index-Dlk_bXJs.js | AI (source-diff): Network calls and dynamic code in a browser playground bundle are expected; no Node.js install-time execution. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Dlk_bXJs.js | AI (source-diff): Vite-minified React bundle; standard frontend build artifact, not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-BXVhxdUC.js | AI (source-diff): Network calls (fetch for modulepreload) and dynamic code in a React SPA bundle are normal browser-side patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BXVhxdUC.js | AI (source-diff): Standard Vite-minified React SPA bundle; long lines are expected minification output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Hgnrv8Yi.js | AI (source-diff): Vite-bundled React app; minified output is expected for this playground package. | ai | |
| source-diff | net-exec-file:dist/assets/index-Hgnrv8Yi.js | AI (source-diff): Network calls and dynamic code in bundled frontend asset are standard React/Vite build artifacts, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/assets/index-x9FBcA6k.js | AI (source-diff): Network calls are browser fetch() for modulepreload in a bundled React app, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-x9FBcA6k.js | AI (source-diff): Vite-bundled React playground app; minified output is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Va8sPisH.js | AI (source-diff): This is a Vite-minified React app bundle for a playground UI. Long lines are standard minification output, not obfuscation. Pattern is stable for this package's build pipeline. | ai | |
| source-diff | net-exec-file:dist/assets/index-Va8sPisH.js | AI (source-diff): fetch() calls are modulepreload polyfill logic; dynamic patterns are standard React/Vite bundle output. No actual dropper/loader behavior present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-op2CE-V7.js | AI (source-diff): This is a Vite-bundled React app artifact. Minified long lines are expected output from the build:app step; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-op2CE-V7.js | AI (source-diff): fetch() usage is the modulepreload polyfill; dynamic module patterns are standard Vite/React bundle output. No malicious network+exec pattern present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-UrBKHkjE.js | AI (source-diff): This is a standard Vite-minified React SPA bundle. Long lines are minification artifacts, not obfuscation. Expected for a playground package shipping pre-built assets. | ai | |
| source-diff | net-exec-file:dist/assets/index-UrBKHkjE.js | AI (source-diff): Network calls are standard fetch() for modulepreload prefetching; dynamic patterns are React internals. No malicious dropper behavior present in this Vite/React bundle. | ai | |
| source-diff | net-exec-file:dist/assets/index-obrF3vsa.js | AI (source-diff): Network calls are module preload fetch() polyfills and React rendering — normal browser-side playground behavior, not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-obrF3vsa.js | AI (source-diff): This is a standard Vite-minified React bundle for a playground UI. Minified dist assets are expected for this package type; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-PWX9Y0Bh.js | AI (source-diff): This is a Vite-bundled React app asset for a playground UI. Long minified lines are expected output from Vite's build:app step, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-PWX9Y0Bh.js | AI (source-diff): Network calls (fetch for module preloading) and dynamic patterns are standard in Vite-bundled React apps. No dropper/loader behavior present in the sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BAKTEvH5.js | AI (source-diff): This is a standard Vite-bundled React app asset. Long lines are minification artifacts, not obfuscation. Expected for a playground UI package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BAKTEvH5.js | AI (source-diff): Network calls are modulepreload polyfill fetch() calls in Vite bundle output. No actual dropper/loader behavior present. | ai | |
| source-diff | net-exec-file:dist/assets/index-BxA16v2m.js | AI (source-diff): Network calls (fetch for modulepreload) and dynamic module loading are standard Vite/React bundle patterns, not dropper behavior. Confirmed by SLSA provenance attestation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BxA16v2m.js | AI (source-diff): This is a Vite-minified React app bundle (playground UI). Long lines are expected from minification, not obfuscation. SLSA provenance confirms CI build origin. | ai | |
| source-diff | net-exec-file:dist/assets/index-CEAxs4qj.js | AI (source-diff): Network calls are browser-side fetch() for module preload polyfill; dynamic code is standard React/JS patterns. This is a frontend playground bundle, not a dropper. SLSA provenance further confirms legitimate CI build. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CEAxs4qj.js | AI (source-diff): This is a Vite-bundled SPA asset for a frontend playground package. Minified bundles with long lines are expected output of vite build; code sample confirms standard React internals, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-BsIxpC0d.js | AI (source-diff): Network calls are fetch() in a modulepreload polyfill; dynamic execution is standard React rendering. No dropper/loader behavior present in the sampled code. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BsIxpC0d.js | AI (source-diff): This is a standard Vite-bundled frontend app asset. Minification produces long lines but the content is clearly React/Vite boilerplate, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-VIgmERhu.js | AI (source-diff): File is a standard Vite/React production bundle (minified, not obfuscated). Long lines are expected build output for this playground package. | ai | |
| source-diff | net-exec-file:dist/assets/index-VIgmERhu.js | AI (source-diff): Network call is fetch() in a modulepreload polyfill; dynamic execution is standard React rendering. Both are expected in a Vite-bundled React playground app. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C04R0ACf.js | AI (source-diff): This is a Vite-bundled React app output. Minified bundles always produce long lines triggering this rule; the sample shows standard React internals, not obfuscation. SLSA provenance confirms CI/CD build. | ai | |
| source-diff | net-exec-file:dist/assets/index-C04R0ACf.js | AI (source-diff): fetch() calls in the sample are module preload polyfill code from Vite. Standard frontend bundle pattern, not dropper/loader behavior. SLSA provenance attestation confirms legitimate CI build. | ai | |
| source-diff | net-exec-file:dist/assets/index-C-eaM6OZ.js | AI (source-diff): Network calls (fetch for module preloading) and dynamic evaluation are standard in Vite-bundled React apps. No dropper/loader behavior present in the sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C-eaM6OZ.js | AI (source-diff): This is a standard Vite-minified React app bundle. Long lines are inherent to minification, not obfuscation. The sample confirms recognizable React internals and bundler patterns. | ai | |
| source-diff | net-exec-file:dist/assets/index-Dw01KyUX.js | AI (source-diff): Network calls (fetch for modulepreload) and dynamic code execution are standard Monaco Editor and React behaviors in a browser playground bundle. No malicious payload visible in code sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Dw01KyUX.js | AI (source-diff): This is standard Vite-minified output for a React + Monaco Editor playground app. Large minified bundles are expected for this package type; SLSA provenance confirms CI/CD build integrity. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DKu0ncpa.js | AI (source-diff): This is a standard Vite production build artifact for a React+Monaco playground. Long lines are minified bundle output, not obfuscation. Pattern is stable for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-DKu0ncpa.js | AI (source-diff): Network calls are module preload polyfill fetch(); dynamic code is React internals. No malicious dropper/loader behavior. Expected for a Vite-bundled React app. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BtgsZX6i.js | AI (source-diff): This is a Vite-bundled React app artifact (minified, not obfuscated). SLSA provenance confirms CI/CD build. Minified dist files are expected for this playground package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BtgsZX6i.js | AI (source-diff): Network calls are browser-side fetch() in a module preload polyfill; dynamic execution is standard React rendering. No dropper/loader behavior present. SLSA provenance confirmed. | ai | |
| source-diff | net-exec-file:dist/assets/index-DyMs7iNs.js | AI (source-diff): Network calls (fetch in module preload polyfill) and dynamic code execution (React rendering) are standard in any Vite-bundled React SPA. No malicious payload present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DyMs7iNs.js | AI (source-diff): This is a standard Vite-minified React app bundle. Long lines are expected minification output, not obfuscation. Confirmed by readable React internals in the sample. | ai | |
| source-diff | net-exec-file:dist/assets/index-DmtFGis1.js | AI (source-diff): Network calls are the module preload polyfill (fetch link hrefs); dynamic patterns are standard React internals. No dropper/exfiltration behavior present. SLSA provenance confirms legitimate build. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DmtFGis1.js | AI (source-diff): This is a standard Vite/React minified bundle for a playground UI. Long lines are expected output of Vite's bundler, not obfuscation. SLSA provenance confirms legitimate CI build. | ai | |
| source-diff | net-exec-file:dist/assets/index-CB76WDIi.js | AI (source-diff): Network calls are standard browser fetch() for module preloading in Vite bundles. No dropper/loader behavior present; this is normal React SPA code. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CB76WDIi.js | AI (source-diff): This is a standard Vite-minified React bundle for a frontend playground package. Long lines are minification artifacts, not obfuscation. Pattern is stable for this build toolchain. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BlhYV3Of.js | AI (source-diff): This is a standard Vite/Rollup minified React bundle for a frontend playground. Long lines are expected minification output, not obfuscation. Pattern is stable for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BlhYV3Of.js | AI (source-diff): fetch() calls in this file are React module preload polyfill logic, not dropper behavior. Standard Vite bundle pattern for a React playground app. | ai | |
| source-diff | net-exec-file:dist/assets/index-Bmf46WJY.js | AI (source-diff): fetch() is used for modulepreload polyfill; dynamic patterns are standard React/Vite bundle output. No malicious network+exec pattern present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Bmf46WJY.js | AI (source-diff): This is a Vite-bundled React app output for a playground package. Minified long lines are expected; code is clearly standard React internals, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-BiI9LGB5.js | AI (source-diff): Network calls (fetch in modulepreload polyfill) and dynamic code execution (React rendering) are standard browser-side patterns in a Vite-bundled React app, not dropper/loader behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BiI9LGB5.js | AI (source-diff): This is a standard Vite-bundled React app asset. Minified output is expected for a frontend playground package; the sample confirms React/JSX runtime code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-CoAuV_s8.js | AI (source-diff): Network calls (fetch for modulepreload) and dynamic code in a browser bundle are standard React/Vite patterns, not dropper/loader behavior. Expected for this frontend playground package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CoAuV_s8.js | AI (source-diff): This is a standard Vite-minified React bundle for a frontend playground app. Long lines are minification artifacts, not obfuscation. Expected for this package type. | ai | |
| source-diff | net-exec-file:dist/assets/index-DN0PJ3NV.js | AI (source-diff): Network calls are browser modulepreload fetch polyfill; dynamic patterns are standard React/Vite bundle. No malicious dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DN0PJ3NV.js | AI (source-diff): This is a Vite-minified React bundle for a playground app. Long lines are standard minification output, not obfuscation. The pattern is stable for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-DAIhIb_G.js | AI (source-diff): fetch() calls in this file are standard module preloading polyfill code from Vite's React build output, not dropper/loader behavior. False positive for this frontend bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DAIhIb_G.js | AI (source-diff): This is a standard Vite-minified React bundle for a playground app. Long lines are expected minification output, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-DvvW29fT.js | AI (source-diff): Network calls are browser fetch() for modulepreload prefetching — a standard browser optimization. No malicious dropper/loader behavior present in this playground UI bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DvvW29fT.js | AI (source-diff): This is a standard Vite-minified React app bundle for a playground UI package. Minification is expected; the code is clearly React internals, not intentional obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-_RbDrsoX.js | AI (source-diff): Network calls are the standard modulepreload polyfill fetch() and React app data fetching. No dropper/loader behavior present. Stable false positive for this Vite-bundled React playground package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-_RbDrsoX.js | AI (source-diff): This is standard Vite/Rollup minified React bundle output for a playground UI package. The 'obfuscation' is normal build minification, not malicious obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CLYvkx3I.js | AI (source-diff): This is a Vite-bundled React app asset. Minified output is expected for a playground package that ships its frontend build. Not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-CLYvkx3I.js | AI (source-diff): The fetch() call is a standard module preload polyfill in the Vite bundle. No malicious dropper behavior; this is a React playground shipping its bundled frontend. | ai | |
| source-diff | obfuscated-file:dist/assets/index-g50O6ttW.js | AI (source-diff): This is a standard Vite-minified React bundle for a playground UI. Long lines are expected in production builds; content is recognizable React/bundler boilerplate, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-g50O6ttW.js | AI (source-diff): Network calls (fetch for modulepreload) and dynamic execution (React rendering) in a bundled frontend playground are expected and benign. No external C2 or suspicious endpoints visible. | ai | |
| source-diff | obfuscated-file:dist/assets/index-IPLeCY8n.js | AI (source-diff): This is a Vite-bundled React app for an interactive playground; minified dist/assets bundles with long lines are expected and confirmed by the sample showing standard React/Vite patterns. | ai | |
| source-diff | net-exec-file:dist/assets/index-IPLeCY8n.js | AI (source-diff): fetch() and dynamic module patterns in this file are standard Vite modulepreload polyfill and React runtime code, not dropper/loader behavior. Confirmed by code sample. | ai | |
| source-diff | net-exec-file:dist/assets/index-Cly7WsjN.js | AI (source-diff): Network call is fetch() in a standard modulepreload polyfill; no dynamic code execution beyond normal React/Vite bundle patterns. False positive on legitimate browser app bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Cly7WsjN.js | AI (source-diff): Vite-minified React app bundle; content hash in filename is standard Vite asset fingerprinting. Not obfuscation — legitimate build output confirmed by SLSA provenance. | ai | |
| phantom-deps | phantom-dep:lucide-react | AI (phantom-deps): lucide-react is a well-known icon library; phantom detection likely due to build-time bundling or config-level reference in this Vite-based library. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/postcss | AI (phantom-deps): @tailwindcss/postcss is a PostCSS plugin referenced in postcss.config rather than direct ES imports — expected phantom pattern for CSS tooling. | ai | |
| phantom-deps | phantom-dep:@monaco-editor/react | AI (phantom-deps): Monaco editor is the core dependency of this playground package; phantom detection likely a false positive from the analyzer's import scanning. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): tailwind-merge is a standard Tailwind utility; phantom detection consistent with build-time usage patterns in Vite-based component libraries. | ai | |
| phantom-deps | phantom-dep:clsx | AI (phantom-deps): clsx is a utility used in Tailwind/CSS class merging patterns; likely referenced via config or bundled at build time rather than direct ES import. Normal for this type of UI library. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 0.1.44 | 5 / 15 | |
| 0.1.43 | 5 / 15 | |
| 0.1.42 | 5 / 15 | |
| 0.1.41 | 5 / 15 | |
| 0.1.39 | 5 / 15 | |
| 0.1.38 | 5 / 15 | |
| 0.1.37 | 5 / 15 | |
| 0.1.36 | 5 / 15 | |
| 0.1.35 | 5 / 15 | |
| 0.1.34 | 5 / 15 | |
| 0.1.33 | 5 / 15 | |
| 0.1.32 | 5 / 15 | |
| 0.1.31 | 5 / 15 | |
| 0.1.30 | 5 / 15 | |
| 0.1.29 | 5 / 15 | |
| 0.1.28 | 5 / 15 | |
| 0.1.27 | 5 / 15 | |
| 0.1.26 | 5 / 15 | |
| 0.1.25 | 5 / 15 | |
| 0.1.24 | 5 / 15 | |
| 0.1.23 | 5 / 15 | |
| 0.1.22 | 5 / 15 | |
| 0.1.21 | 5 / 15 | |
| 0.1.20 | 5 / 15 | |
| 0.1.19 | 5 / 15 | |
| 0.1.18 | 5 / 15 | |
| 0.1.17 | 5 / 15 | |
| 0.1.16 | 5 / 15 | |
| 0.1.15 | 5 / 15 | |
| 0.1.14 | 5 / 15 | |
| 0.1.13 | 5 / 15 | |
| 0.1.12 | 5 / 15 | |
| 0.1.11 | 5 / 15 | |
| 0.1.10 | 5 / 15 | |
| 0.1.9 | 5 / 15 | |
| 0.1.8 | 5 / 15 | |
| 0.1.7 | 5 / 15 | |
| 0.1.6 | 5 / 15 | |
| 0.1.5 | 5 / 15 | |
| 0.1.3 | 5 / 15 |
v0.1.44
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.43
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.42
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.41
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.39
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.37
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.36
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.35
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.34
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.33
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.32
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.31
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.30
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.29
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.28
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.27
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.26
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.25
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.24
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.23
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.21
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.20
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.19
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.18
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.17
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.16
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.15
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.14
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.13
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.12
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.11
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.