This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
redhat-cloud-services supply-chain compromise (2026-06-01): injected preinstall hook. Auto-reject any version with a preinstall script.
SAST Findings (4)
HIGHPackage has 'preinstall' scriptinstall-scripts
Script: node index.js
HIGHMissing gitHead — previous versions had itprovenance
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
HIGHNew obfuscated file: index.jssource-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
INFOHas SLSA provenance attestationprovenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Review Summary
Risk score: 85. Findings: 3 high (+75), 1 medium (+10), 2 info (+0).