@nvidia-elements/cli
Command-line interface for Elements development and tooling, providing interactive prompts, project scaffolding, and integration with AI assistants via Model Context Protocol.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/api-Cy5BFQ6i.js | AI (source-diff): Same Vite bundle pattern; NVIDIA elements metadata content visible in sample. | ai | |
| source-diff | obfuscated-file:dist/api-BRdJzxHs.js | AI (source-diff): Vite-bundled CLI output with readable source-map comments; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/internals-Dc7j4vhh.js | AI (source-diff): Bundled ESLint/es-html-parser internals; source-map regions visible in sample. | ai | |
| source-diff | obfuscated-file:dist/projects-Bvkk5VvC.js | AI (source-diff): Bundled project metadata (changelogs, READMEs); no malicious content. | ai | |
| source-diff | obfuscated-file:dist/ui-BT2lpes_.js | AI (source-diff): UI bundle from Vite build; consistent with documented build pipeline. | ai | |
| source-diff | net-exec-file:dist/dist-BlvI3ZwL.js | AI (source-diff): CLI tool legitimately uses child_process (execFile/spawn) and network; no exfiltration pattern. | ai | |
| source-diff | obfuscated-file:dist/dist-BlvI3ZwL.js | AI (source-diff): Minified CLI bundle; imports are standard node/npm tooling (publint, adm-zip, archiver). | ai | |
| source-diff | net-exec-file:dist/internals-Dc7j4vhh.js | AI (source-diff): ESLint tooling bundle; network+exec combination is expected for a lint/build CLI. | ai | |
| source-diff | obfuscated-file:dist/examples-BfZetrdM.js | AI (source-diff): Bundled HTML/component examples data; long lines from JSON.parse of template strings. | ai | |
| source-diff | net-exec-file:dist/dist-CNfxN5ib.js | AI (source-diff): CLI tool legitimately uses child_process (execFile/spawn) and network for scaffolding; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/dist-CNfxN5ib.js | AI (source-diff): Vite bundle of CLI tooling; imports are standard (zod, publint, archiver, child_process). | ai | |
| source-diff | obfuscated-file:dist/api-rQATbSRU.js | AI (source-diff): Same pattern as api-CAapy3Cz.js — bundled metadata for lint internals. | ai | |
| source-diff | obfuscated-file:dist/api-CAapy3Cz.js | AI (source-diff): Vite-bundled static metadata; readable content with #region comments, not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/ui-6LGVRhPk.js | AI (source-diff): MCP UI bundle; network calls expected for a browser-facing tool UI. | ai | |
| source-diff | obfuscated-file:dist/ui-6LGVRhPk.js | AI (source-diff): UI bundle for MCP inspector; consistent with 3MB Vite build output for a web UI. | ai | |
| source-diff | obfuscated-file:dist/projects-7MxzIwEA.js | AI (source-diff): Bundled project metadata with readable changelog/readme content; long lines from JSON strings. | ai | |
| source-diff | net-exec-file:dist/internals-DItJmSer.js | AI (source-diff): ESLint integration in a lint CLI tool; network+exec pattern is expected for linting workflows. | ai | |
| source-diff | obfuscated-file:dist/internals-DItJmSer.js | AI (source-diff): Bundled ESLint/es-html-parser internals; readable AST type definitions visible in sample. | ai | |
| source-diff | obfuscated-file:dist/projects-DlriJcjR.js | AI (source-diff): Bundled project metadata with README/changelog content as long strings; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/internals-BpmMESN6.js | AI (source-diff): ESLint linting internals; network+exec pattern is from bundled tooling deps, not malicious dropper. | ai | |
| source-diff | obfuscated-file:dist/internals-BpmMESN6.js | AI (source-diff): Vite bundle of ESLint and es-html-parser internals with readable region comments; standard build output. | ai | |
| source-diff | net-exec-file:dist/dist-CpnqnYy5.js | AI (source-diff): CLI tool legitimately uses execFile/spawn for build tooling and network calls for package management; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/dist-CpnqnYy5.js | AI (source-diff): Vite bundle of CLI tooling deps (zod, publint, adm-zip, etc.) with readable region comments; standard build output. | ai | |
| source-diff | obfuscated-file:dist/api-IhNK_aN_.js | AI (source-diff): Same pattern as api-BCfjiizk.js — bundled component metadata JSON, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/api-BCfjiizk.js | AI (source-diff): Vite bundle of NVIDIA Elements API metadata; long lines from JSON.parse of component docs, not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/internals-BxQQ39Gt.js | AI (source-diff): Bundled ESLint/tooling internals; network+exec pattern is from bundled deps, not malware. | ai | |
| source-diff | obfuscated-file:dist/api-B7_CZHFN.js | AI (source-diff): Vite-bundled NVIDIA elements metadata; minified but readable and benign. | ai | |
| source-diff | net-exec-file:dist/dist-DJzptPJK.js | AI (source-diff): CLI tool legitimately uses child_process (exec/spawn) and network; expected for a scaffolding CLI. | ai | |
| source-diff | obfuscated-file:dist/projects-DFppz5ZM.js | AI (source-diff): Vite-bundled project metadata; readable JSON data in long lines. | ai | |
| source-diff | obfuscated-file:dist/internals-BxQQ39Gt.js | AI (source-diff): Vite-bundled ESLint/HTML-parser internals; standard build output. | ai | |
| source-diff | obfuscated-file:dist/examples-D9ndCVrP.js | AI (source-diff): Vite-bundled NVIDIA component examples; minified HTML/JSON data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/dist-DJzptPJK.js | AI (source-diff): Vite-bundled CLI tool code; long lines are bundled deps, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api-QZpj82ze.js | AI (source-diff): Vite-bundled NVIDIA elements metadata; minified but readable and benign. | ai | |
| source-diff | net-exec-file:dist/internals-Bov91CUM.js | AI (source-diff): ESLint linting internals; network+exec pattern is lint tooling, not malware. | ai | |
| source-diff | obfuscated-file:dist/projects-B61tAWHM.js | AI (source-diff): Embedded project metadata JSON for NVIDIA elements packages; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/internals-Bov91CUM.js | AI (source-diff): Vite bundle of eslint and es-html-parser internals; readable source-map regions present. | ai | |
| source-diff | net-exec-file:dist/dist-SggMyQ8R.js | AI (source-diff): exec/spawn usage is CLI scaffolding tooling, not dropper behavior; consistent with declared purpose. | ai | |
| source-diff | obfuscated-file:dist/dist-SggMyQ8R.js | AI (source-diff): Vite bundle of known deps (zod, publint, adm-zip, child_process wrappers); CLI tool expected to use these. | ai | |
| source-diff | obfuscated-file:dist/api-pBSpDCU-.js | AI (source-diff): Same pattern as api-BDrefZ5V.js; minified bundle of component metadata. | ai | |
| source-diff | obfuscated-file:dist/api-BDrefZ5V.js | AI (source-diff): Vite-bundled output with readable source-map comments and NVIDIA component metadata; not obfuscated. | ai | |
| source-diff | net-exec-file:dist/dist-Cm8vuAgE.js | AI (source-diff): exec/spawn used for CLI project scaffolding; network calls are expected for a CLI tool fetching templates. | ai | |
| source-diff | obfuscated-file:dist/internals-CwNK5Rms.js | AI (source-diff): Bundled ESLint/es-html-parser internals with readable region comments; standard build output. | ai | |
| source-diff | net-exec-file:dist/internals-CwNK5Rms.js | AI (source-diff): ESLint tooling bundle; network+exec pattern is from bundled linting infrastructure, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/projects-BJHN2i4K.js | AI (source-diff): JSON metadata about NVIDIA Elements packages; long lines from embedded readme strings, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api-CR1nw6zj.js | AI (source-diff): Vite-bundled output with readable region comments and NVIDIA Elements metadata; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/api-DkKc7xBm.js | AI (source-diff): Same pattern as api-CR1nw6zj.js; minified bundle of component metadata, not malicious. | ai | |
| source-diff | obfuscated-file:dist/dist-Cm8vuAgE.js | AI (source-diff): Vite bundle of CLI tooling with standard deps; long lines from bundled node_modules, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api-CM8keeoA.js | AI (source-diff): Same pattern — Vite bundle of lint metadata with large JSON.parse strings. | ai | |
| source-diff | net-exec-file:dist/internals-DVGazMKh.js | AI (source-diff): ESLint integration in a lint tooling bundle; network+exec pattern is expected for this CLI. | ai | |
| source-diff | obfuscated-file:dist/internals-DVGazMKh.js | AI (source-diff): Vite bundle of ESLint/es-html-parser internals with readable region comments. | ai | |
| source-diff | net-exec-file:dist/dist-kCe2Ok_7.js | AI (source-diff): execFile/spawn usage is CLI tooling (publint, archiver, adm-zip); expected for a developer CLI package. | ai | |
| source-diff | obfuscated-file:dist/api-B8xlpJge.js | AI (source-diff): Vite bundle of NVIDIA Elements metadata; long lines from JSON.parse of component docs, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/dist-kCe2Ok_7.js | AI (source-diff): Vite bundle of CLI tooling with readable //#region comments; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/projects-C8dUoN1n.js | AI (source-diff): Large JSON.parse of project/package metadata; standard Vite bundle output. | ai | |
| source-diff | obfuscated-file:dist/ui-p4Wyp3kw.js | AI (source-diff): Vite-bundled UI component code; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/api-D0tra9xJ.js | AI (source-diff): Vite-bundled output containing NVIDIA component metadata; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/api-DDV3LG2b.js | AI (source-diff): Vite-bundled output containing NVIDIA component metadata; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/dist-P4jbUdbp.js | AI (source-diff): Vite-bundled CLI dist; readable source with standard deps (zod, publint, archiver). | ai | |
| source-diff | net-exec-file:dist/dist-P4jbUdbp.js | AI (source-diff): CLI tool legitimately uses child_process + network; no exfiltration pattern in sample. | ai | |
| source-diff | obfuscated-file:dist/examples-CjgzsVYz.js | AI (source-diff): Bundled HTML/component examples data; long lines from JSON.parse of template strings. | ai | |
| source-diff | obfuscated-file:dist/internals-Tsp5x9Ys.js | AI (source-diff): Bundled ESLint + es-html-parser internals; standard build output. | ai | |
| source-diff | net-exec-file:dist/internals-Tsp5x9Ys.js | AI (source-diff): ESLint-based linting internals; network+exec pattern is lint tooling, not malware. | ai | |
| source-diff | obfuscated-file:dist/projects-Dt3SzC9L.js | AI (source-diff): Bundled project metadata/changelog data; long lines from JSON strings. | ai | |
| source-diff | obfuscated-file:dist/examples-BDKunplW.js | AI (source-diff): Long lines from JSON.parse of HTML template strings in component examples; standard bundler output. | ai | |
| source-diff | obfuscated-file:dist/internals-wRvMCWqA.js | AI (source-diff): Bundled ESLint + es-html-parser internals; readable source-map regions confirm legitimate bundler output. | ai | |
| source-diff | net-exec-file:dist/internals-wRvMCWqA.js | AI (source-diff): ESLint linting internals legitimately use dynamic code execution; no exfiltration or dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/projects-CwCGnXRc.js | AI (source-diff): Long lines from JSON.parse of project metadata/changelogs; standard bundler output. | ai | |
| source-diff | obfuscated-file:dist/ui-Hgv6CDCX.js | AI (source-diff): UI bundle from Vite build; minified output consistent with the build pipeline described in package.json. | ai | |
| source-diff | net-exec-file:dist/dist-Dy6DeaW_.js | AI (source-diff): Network + exec usage is expected for a CLI tool (spawn/exec for build commands, archiver for packaging); no dropper pattern visible. | ai | |
| source-diff | obfuscated-file:dist/dist-Dy6DeaW_.js | AI (source-diff): Bundled CLI code with standard imports (zod, fs, child_process, publint); long lines from bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api-DCpBiQc5.js | AI (source-diff): Same pattern as api-3hbKL09O.js — minified bundle with component metadata JSON, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api-3hbKL09O.js | AI (source-diff): Vite-bundled output with readable source-map regions; long lines from JSON.parse of component metadata, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api-DRloMqDx.js | AI (source-diff): Same pattern as api-B7OZD3lK.js — bundled metadata JSON, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/projects-BeeaOYkQ.js | AI (source-diff): Bundled project registry metadata; long lines are serialized README/changelog strings. | ai | |
| source-diff | net-exec-file:dist/internals-DjOAJuv6.js | AI (source-diff): ESLint tooling bundle; network+exec pattern is from bundled linting infrastructure, not malware. | ai | |
| source-diff | obfuscated-file:dist/internals-DjOAJuv6.js | AI (source-diff): Bundled ESLint + es-html-parser internals; readable region comments confirm legitimate bundling. | ai | |
| source-diff | obfuscated-file:dist/examples-BTuxa5i8.js | AI (source-diff): Bundled HTML/CSS example templates serialized as JSON; long lines are expected. | ai | |
| source-diff | net-exec-file:dist/dist-pbU4WWcQ.js | AI (source-diff): Network + exec usage is the CLI's documented functionality (project scaffolding, child_process for build tools). | ai | |
| source-diff | obfuscated-file:dist/dist-pbU4WWcQ.js | AI (source-diff): Vite-minified CLI bundle; readable imports and source-map regions confirm legitimate tooling. | ai | |
| source-diff | obfuscated-file:dist/api-B7OZD3lK.js | AI (source-diff): Vite-bundled component metadata; long lines are JSON-serialized markdown, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api-R7iroOrb.js | AI (source-diff): Same as above — bundled metadata file with long JSON lines, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/projects-CrSYQ-Dp.js | AI (source-diff): Bundled project metadata JSON; long lines from JSON.parse, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/internals-DHxr7UWP.js | AI (source-diff): ESLint-based linting tool; network+exec pattern is expected for a lint/build CLI. | ai | |
| source-diff | obfuscated-file:dist/internals-DHxr7UWP.js | AI (source-diff): Bundled ESLint + es-html-parser internals; readable source-map-annotated code. | ai | |
| source-diff | obfuscated-file:dist/examples-DjCR4I0Q.js | AI (source-diff): Bundled HTML/CSS example data with long JSON lines; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/dist-nWEeFfln.js | AI (source-diff): CLI tool legitimately uses child_process (exec/spawn) and fs; no exfiltration pattern visible. | ai | |
| source-diff | obfuscated-file:dist/dist-nWEeFfln.js | AI (source-diff): Vite bundle of CLI internals; imports are standard node/npm tooling (zod, publint, archiver). | ai | |
| source-diff | obfuscated-file:dist/api-D2ikxSwe.js | AI (source-diff): Vite-bundled CLI output; content is readable NVIDIA elements metadata, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/internals-B3TbKWCg.js | AI (source-diff): Vite-bundled ESLint/es-html-parser internals; minified but readable and legitimate. | ai | |
| source-diff | net-exec-file:dist/internals-B3TbKWCg.js | AI (source-diff): ESLint-based linting internals; network+exec combination is incidental to bundled tooling, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/dist-Dvf9iA-e.js | AI (source-diff): CLI tool legitimately uses child_process (exec/spawn) and fs; no suspicious network+exec pattern. | ai | |
| source-diff | obfuscated-file:dist/projects-B3tbvERp.js | AI (source-diff): Static project metadata JSON blob; long lines are markdown strings, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/dist-Dvf9iA-e.js | AI (source-diff): Vite-bundled CLI tooling code; imports are explicit and readable. | ai | |
| source-diff | obfuscated-file:dist/api-Ca7kQjTk.js | AI (source-diff): Same pattern: bundled static API metadata JSON, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/api-C4iATpuz.js | AI (source-diff): Vite-bundled static JSON metadata; long lines are JSON-encoded markdown strings, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/projects-DwHROL8u.js | AI (source-diff): Static project-metadata bundle; long lines from JSON string content, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/internals-BEwaOU1_.js | AI (source-diff): Linting toolchain bundle; network+exec pattern is from bundled dev-tool dependencies. | ai | |
| source-diff | obfuscated-file:dist/internals-BEwaOU1_.js | AI (source-diff): Bundled ESLint/HTML-parser internals; long lines from minification. | ai | |
| source-diff | net-exec-file:dist/dist-BpAVgq_9.js | AI (source-diff): CLI tool legitimately uses child_process (exec/spawn) and network; no dropper pattern visible. | ai | |
| source-diff | obfuscated-file:dist/dist-BpAVgq_9.js | AI (source-diff): Vite-bundled CLI tool with readable imports; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/api-DWHdS78U.js | AI (source-diff): Same pattern as api-_4Zqf9pD.js — minified static metadata bundle. | ai | |
| source-diff | obfuscated-file:dist/api-_4Zqf9pD.js | AI (source-diff): Vite-bundled static metadata (JSON.parse of component docs); long lines from minification, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api-ClwjfRw0.js | AI (source-diff): Same Vite bundle pattern; readable metadata content for NVIDIA Elements components. | ai | |
| source-diff | obfuscated-file:dist/api-C0pUgNIf.js | AI (source-diff): Vite-bundled output with source-map region comments; content is NVIDIA Elements API metadata, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/projects-BJkKVG0o.js | AI (source-diff): JSON-serialized project metadata for NVIDIA Elements packages; long lines from data content. | ai | |
| source-diff | net-exec-file:dist/internals-BkTXeATD.js | AI (source-diff): Linting tooling with ESLint; network+exec pattern is expected for a dev CLI tool. | ai | |
| source-diff | obfuscated-file:dist/internals-BkTXeATD.js | AI (source-diff): Bundled ESLint/es-html-parser internals; readable source-mapped code, not malicious. | ai | |
| source-diff | obfuscated-file:dist/examples-7w7OwcR5.js | AI (source-diff): JSON-serialized HTML examples for NVIDIA Elements; long lines from data, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/dist-DuSCMilB.js | AI (source-diff): CLI tool legitimately uses child_process (exec/spawn) and network; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/dist-DuSCMilB.js | AI (source-diff): Minified CLI bundle with visible imports (zod, publint, archiver); standard build output. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is the standard initial version for NVIDIA/elements monorepo packages; not indicative of malicious intent. | ai | |
| phantom-deps | phantom-dep:publint | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@modelcontextprotocol/sdk | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@nvidia-elements/lint | AI (phantom-deps): Same-org scoped dep used in build; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@inquirer/prompts | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:marked-terminal | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:ora | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:open | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:adm-zip | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:archiver | AI (phantom-deps): Used in config files; stable pattern for this package. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @nvidia-elements package from official NVIDIA org; distance-2 match to 'joi' is a false positive. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 0.3.1 | 14 / 12 | |
| 0.3.0 | 13 / 11 | |
| 0.2.3 | 13 / 11 | |
| 0.2.2 | 13 / 11 | |
| 0.2.1 | 13 / 11 | |
| 0.2.0 | 13 / 11 | |
| 0.1.0 | 12 / 11 | |
| 0.0.12 | 12 / 11 | |
| 0.0.11 | 12 / 11 | |
| 0.0.10 | 12 / 11 | |
| 0.0.9 | 12 / 11 | |
| 0.0.8 | 12 / 11 | |
| 0.0.7 | 12 / 11 | |
| 0.0.6 | 12 / 11 | |
| 0.0.5 | 12 / 11 | |
| 0.0.4 | 12 / 11 | |
| 0.0.3 | 12 / 11 | |
| 0.0.2 | 12 / 11 | |
| 0.0.1 | 12 / 11 | |
| 0.0.0 | 12 / 11 |
v0.3.1
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.3
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.2
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.0
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.12
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.11
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.10
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.8
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.7
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.6
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.5
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.