@owox/web — Greenflagged

Web interface for OWOX Data Marts - an open-source solution for Data Analysts

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

max-voloshyn

Keywords

owoxdata-martsweb-appreacttypescripttailwind

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/assets/index-D5aLo6qw.js	AI (source-diff): Standard Vite production bundle; samples show React/license headers, not obfuscation.	ai	2026/04/30
source-diff	obfuscated-file:dist/assets/RelationshipCanvas-DHD_684J.js	AI (source-diff): Vite-bundled canvas feature chunk; samples show lucide-react and rete library code.	ai	2026/04/30
source-diff	net-exec-file:dist/assets/RelationshipCanvas-DHD_684J.js	AI (source-diff): Network+exec pattern is from bundled rete/React code, not dropper behavior.	ai	2026/04/30
dependencies	unvetted-dep:@owox/ui	AI (dependencies): Local monorepo path dependency to same-org sibling package; not a third-party supply chain risk.	ai	2026/04/30
phantom-deps	phantom-dep:@monaco-editor/react	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:@tanstack/react-query	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:react-hook-form	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:react	AI (phantom-deps): Bundled React app; deps referenced in config/build files, not direct imports — stable FP for this package.	ai	2026/04/29
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): Same as react; bundled app pattern.	ai	2026/04/29
phantom-deps	phantom-dep:@hookform/resolvers	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:tailwindcss	AI (phantom-deps): CSS build tool referenced in config; expected for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@owox/ui	AI (phantom-deps): Monorepo sibling package; local path dep, not a supply-chain risk.	ai	2026/04/29
phantom-deps	phantom-dep:@dnd-kit/core	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:@dnd-kit/sortable	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:@dnd-kit/utilities	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:axios	AI (phantom-deps): Bundled app; used transitively or in config, not a phantom risk.	ai	2026/04/29
phantom-deps	phantom-dep:react-hot-toast	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:react-router-dom	AI (phantom-deps): Bundled app; stable FP.	ai	2026/04/29
phantom-deps	phantom-dep:@tailwindcss/vite	AI (phantom-deps): Build tool referenced in vite config; stable FP.	ai	2026/04/29

Versions (showing 6 of 6)

Version	Deps	Published
0.24.0	21 / 15	2026-04-30
0.23.0	15 / 15	2026-04-16
0.22.0	15 / 15	2026-04-02
0.15.0	14 / 12	2025-12-11
0.12.0	14 / 11	2025-11-13
0.11.0	14 / 11	2025-10-30

v0.24.0

4 findings

HIGH New obfuscated file: dist/assets/index-D5aLo6qw.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/assets/RelationshipCanvas-DHD_684J.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/assets/RelationshipCanvas-DHD_684J.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.