@tangle-network/tcloud
TypeScript SDK and CLI for Tangle AI Cloud — decentralized LLM inference
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/client-CaD5Oal0.d.cts | AI (source-diff): TypeScript declaration file; no executable network+exec payload, just type definitions. | ai | |
| source-diff | net-exec-file:dist/chunk-U4VOGRVW.js | AI (source-diff): Legitimate bundled SDK routing code using crypto.getRandomValues; no dropper/exfiltration pattern. | ai | |
| source-diff | net-exec-file:dist/client-CaD5Oal0.d.ts | AI (source-diff): TypeScript declaration file; no executable network+exec payload, just type definitions. | ai | |
| source-diff | net-exec-file:dist/chunk-CVWEKCQ3.js | AI (source-diff): Bundled PrivateRouter implementation for LLM operator routing; legitimate SDK functionality matching package purpose. | ai | |
| source-diff | net-exec-file:dist/client-CF-tpVsi.d.ts | AI (source-diff): TypeScript declaration file; same as .d.cts counterpart — pure type definitions. | ai | |
| source-diff | net-exec-file:dist/client-CF-tpVsi.d.cts | AI (source-diff): TypeScript declaration file; no executable network+code-exec pattern, just type definitions for SDK config. | ai | |
| source-diff | net-exec-file:dist/chunk-M5K3EFNP.js | AI (source-diff): Bundled SDK chunk implementing LLM operator routing; network calls and crypto.getRandomValues are core SDK functionality. | ai | |
| source-diff | net-exec-file:dist/client-DkQugNHH.d.cts | AI (source-diff): TypeScript declaration file for SDK client; network refs are type annotations, not executable dropper code. | ai | |
| source-diff | net-exec-file:dist/client-DkQugNHH.d.ts | AI (source-diff): TypeScript declaration file for SDK client; network refs are type annotations, not executable dropper code. | ai | |
| source-diff | net-exec-file:dist/client-D7_hFedn.d.cts | AI (source-diff): TypeScript declaration file with SDK config types; no executable network+exec payload. | ai | |
| source-diff | net-exec-file:dist/client-D7_hFedn.d.ts | AI (source-diff): TypeScript declaration file with SDK config types; no executable network+exec payload. | ai | |
| source-diff | net-exec-file:dist/client-_ghO89WM.d.cts | AI (source-diff): TypeScript declaration file with SDK config types; no executable network+exec payload. | ai | |
| source-diff | net-exec-file:dist/chunk-AKR7CS4P.js | AI (source-diff): Bundled SDK chunk implementing operator routing logic; no obfuscation or malicious exec pattern. | ai | |
| source-diff | net-exec-file:dist/client-_ghO89WM.d.ts | AI (source-diff): TypeScript declaration file with SDK config types; no executable network+exec payload. | ai | |
| source-diff | net-exec-file:dist/chunk-B22AH4JH.js | AI (source-diff): Bundled SDK chunk implementing LLM operator routing; network calls are the documented product feature, no obfuscation. | ai | |
| source-diff | net-exec-file:dist/client-C547pugt.d.cts | AI (source-diff): TypeScript declaration file for SDK client; no executable code, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/client-C547pugt.d.ts | AI (source-diff): TypeScript declaration file for SDK client; no executable code, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/chunk-LN7XX5KG.js | AI (source-diff): Bundled SDK chunk implementing LLM operator routing; network calls and crypto.getRandomValues are core SDK functionality. | ai | |
| source-diff | net-exec-file:dist/client-DskWX_BT.d.ts | AI (source-diff): TypeScript declaration file for SDK client; no executable code, just type definitions. | ai | |
| source-diff | net-exec-file:dist/client-DskWX_BT.d.cts | AI (source-diff): TypeScript declaration file for SDK client; no executable code, just type definitions. | ai | |
| phantom-deps | phantom-dep:@scure/bip39 | AI (phantom-deps): Declared runtime dep; bundled via tsup so direct import may not appear in source scan. | ai | |
| phantom-deps | phantom-dep:@scure/bip32 | AI (phantom-deps): Declared runtime dep; bundled via tsup so direct import may not appear in source scan. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 0.4.12 | 6 / 6 | |
| 0.4.11 | 6 / 6 | |
| 0.4.10 | 6 / 6 | |
| 0.4.9 | 6 / 6 | |
| 0.4.8 | 6 / 6 | |
| 0.4.6 | 6 / 6 | |
| 0.4.5 | 6 / 6 | |
| 0.4.4 | 6 / 6 | |
| 0.4.3 | 6 / 6 | |
| 0.4.2 | 5 / 6 | |
| 0.4.1 | 5 / 6 | |
| 0.4.0 | 5 / 6 | |
| 0.3.0 | 5 / 6 | |
| 0.2.0 | 4 / 6 | |
| 0.1.4 | 4 / 6 | |
| 0.1.3 | 4 / 6 | |
| 0.1.2 | 4 / 6 | |
| 0.1.1 | 4 / 6 | |
| 0.1.0 | 4 / 6 |
v0.4.12
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: drewstone.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.11
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: drewstone.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.10
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.9
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: drewstone.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.8
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.5
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.