@turbo/codemod
Provides Codemod transformations to help upgrade your Turborepo codebase when a feature is deprecated.
Supply chain provenance
Status for the latest visible version.
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/dist-CM5dI28P.js | AI (source-diff): Minified bundle of legitimate deps (js-yaml, etc.); standard build output for this package. | ai | |
| source-diff | net-exec-file:dist/dist-CM5dI28P.js | AI (source-diff): Network/exec calls are from bundled node:child_process and update-check; expected for a codemod CLI tool. | ai | |
| source-diff | obfuscated-file:dist/runner-sNjkx4u0.js | AI (source-diff): Minified bundle of legitimate deps; standard build output for this package. | ai | |
| source-diff | net-exec-file:dist/runner-sNjkx4u0.js | AI (source-diff): Network/exec calls from bundled node:child_process and update-check; expected for a codemod CLI tool. | ai | |
| phantom-deps | phantom-dep:inquirer | AI (phantom-deps): Bundled into dist; false positive. | ai | |
| source-diff | obfuscated-file:dist/runner-BbVjU0ci.js | AI (source-diff): Standard minified bundle output from tsdown; sample shows legitimate codemod runner code. | ai | |
| source-diff | net-exec-file:dist/dist-beJVDhbp.js | AI (source-diff): Network calls are update-check; child_process is for running codemods — expected for this CLI tool. | ai | |
| source-diff | obfuscated-file:dist/dist-beJVDhbp.js | AI (source-diff): Standard minified bundle output from tsdown build tool; legitimate YAML/utility code visible in sample. | ai | |
| source-diff | net-exec-file:dist/runner-BbVjU0ci.js | AI (source-diff): Same pattern as dist-beJVDhbp.js; update-check + child_process are documented codemod CLI features. | ai | |
| phantom-deps | phantom-dep:inquirer-file-tree-selection-prompt | AI (phantom-deps): Bundled into dist; false positive. | ai | |
| source-diff | obfuscated-file:dist/dist-DHVkV0NT.js | AI (source-diff): Minified bundler output (tsdown); content matches known libraries (js-yaml, regenerator-runtime). | ai | |
| source-diff | net-exec-file:dist/get-transformer-helpers-a8Tz9e-N.js | AI (source-diff): Same rationale as dist-DHVkV0NT.js — update-check + child_process are expected in this codemod CLI. | ai | |
| source-diff | obfuscated-file:dist/get-transformer-helpers-a8Tz9e-N.js | AI (source-diff): Minified bundler output; content matches known libraries bundled by tsdown. | ai | |
| source-diff | net-exec-file:dist/dist-DHVkV0NT.js | AI (source-diff): Network calls are update-check; code execution is child_process used by codemod tooling — expected for this package. | ai | |
| source-diff | net-exec-file:dist/dist-xiT9itt2.js | AI (source-diff): Network calls and child_process usage are expected in a codemod CLI tool; no dropper pattern evident. | ai | |
| source-diff | obfuscated-file:dist/dist-xiT9itt2.js | AI (source-diff): Standard tsdown bundle output for @turbo/codemod; minified but not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/get-transformer-helpers-COgaexeM.js | AI (source-diff): Standard tsdown bundle output for @turbo/codemod; minified but not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/get-transformer-helpers-COgaexeM.js | AI (source-diff): Network calls and child_process usage are expected in a codemod CLI tool; no dropper pattern evident. | ai | |
| source-diff | net-exec-file:dist/runner-Qa95HmyV.js | AI (source-diff): Same as dist-B5rR31JW.js; update-check + child_process for codemod runner; legitimate use. | ai | |
| source-diff | obfuscated-file:dist/runner-Qa95HmyV.js | AI (source-diff): Minified bundle; imports are all declared deps; no obfuscation beyond standard minification. | ai | |
| source-diff | net-exec-file:dist/dist-B5rR31JW.js | AI (source-diff): Network calls are update-check/version-check; code execution is standard Node.js child_process for codemod transforms. | ai | |
| source-diff | obfuscated-file:dist/dist-B5rR31JW.js | AI (source-diff): Minified bundle of known deps (js-yaml, etc.); no malicious patterns in sample; consistent with tsdown build output. | ai | |
| source-diff | obfuscated-file:dist/dist-CPGs1S7i.js | AI (source-diff): Standard tsdown bundle output for @turbo/codemod; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/runner-ionPv0sZ.js | AI (source-diff): Bundled CLI runner; network+exec pattern is from bundled deps (update-check, child_process), not malware. | ai | |
| source-diff | net-exec-file:dist/dist-CPGs1S7i.js | AI (source-diff): Bundled YAML/CLI code; network+exec pattern is from bundled deps, not malware. | ai | |
| source-diff | obfuscated-file:dist/runner-ionPv0sZ.js | AI (source-diff): Standard tsdown bundle output for @turbo/codemod; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/dist-CmRfU9w3.js | AI (source-diff): Standard bundled/minified dist output for a codemod CLI; content is legitimate library code. | ai | |
| source-diff | obfuscated-file:dist/runner-Ci3IamWM.js | AI (source-diff): Standard bundled/minified dist output for a codemod CLI; content is legitimate library code. | ai | |
| source-diff | net-exec-file:dist/dist-CmRfU9w3.js | AI (source-diff): Network+exec pattern is bundled child_process/update-check usage, not dropper malware. | ai | |
| source-diff | net-exec-file:dist/runner-Ci3IamWM.js | AI (source-diff): Network+exec pattern is bundled child_process/update-check usage, not dropper malware. | ai | |
| source-diff | net-exec-file:dist/runner-BXVdw9eY.js | AI (source-diff): Same bundle; network+exec pattern is from bundled deps (update-check, child_process) not malware. | ai | |
| source-diff | obfuscated-file:dist/dist-TnfTwrBN.js | AI (source-diff): Standard esbuild/tsdown bundle output for this package; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/runner-BXVdw9eY.js | AI (source-diff): Standard esbuild/tsdown bundle output for this package; not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/dist-TnfTwrBN.js | AI (source-diff): Network calls are update-check; code execution is child_process for codemod transforms — expected for this tool. | ai | |
| source-diff | net-exec-file:dist/runner-BB60mHRe.js | AI (source-diff): Same as dist-DTutL_kT.js — legitimate CLI tool bundling update-check and child_process from known deps. | ai | |
| source-diff | obfuscated-file:dist/runner-BB60mHRe.js | AI (source-diff): Standard esbuild/tsdown minified bundle output; sample shows known deps like regenerator-runtime, picocolors, fs-extra. | ai | |
| source-diff | net-exec-file:dist/dist-DTutL_kT.js | AI (source-diff): Network calls and child_process are legitimate CLI features (update-check, codemod execution); bundled from known deps. | ai | |
| source-diff | obfuscated-file:dist/dist-DTutL_kT.js | AI (source-diff): Standard esbuild/tsdown minified bundle output for this CLI tool; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/runner-pd7wGl_6.js | AI (source-diff): Same bundled-deps pattern; no malicious payload visible in samples. | ai | |
| source-diff | net-exec-file:dist/dist-DPnC9gtO.js | AI (source-diff): Network+exec pattern is from bundled deps (update-check, child_process); expected for a CLI codemod tool. | ai | |
| source-diff | obfuscated-file:dist/runner-pd7wGl_6.js | AI (source-diff): Standard tsdown bundle output; contains recognizable OSS library code. | ai | |
| source-diff | obfuscated-file:dist/dist-DPnC9gtO.js | AI (source-diff): Standard tsdown bundle output for this package; content matches known deps. | ai | |
| provenance | publisher-changed | AI (provenance): turbobot → GitHub Actions is a documented CI pipeline migration for vercel/turborepo; SLSA provenance confirms legitimate CI publish. | ai | |
| source-diff | net-exec-file:dist/runner-CVJuNfzM.js | AI (source-diff): Bundled deps (update-check, child_process) in a codemod CLI; no malicious dropper pattern. | ai | |
| source-diff | net-exec-file:dist/dist-CKadySos.js | AI (source-diff): Bundled deps (yaml, child_process) in a codemod CLI; no malicious dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/runner-CVJuNfzM.js | AI (source-diff): Standard esbuild/tsdown bundle output for a codemod CLI; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/dist-CKadySos.js | AI (source-diff): Standard esbuild/tsdown bundle output for a codemod CLI; not obfuscation. | ai | |
| phantom-deps | phantom-dep:ora | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:diff | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:@inquirer/prompts | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:gradient-string | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:brace-expansion | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:update-check | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:is-git-clean | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:picocolors | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:find-up | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:json5 | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): CLI tool; dependencies used via config-driven transformer loading, not direct imports. | ai |
Versions (showing 50 of 50)
| Version | Deps | Published |
|---|---|---|
| 2.9.16 | 14 / 18 | |
| 2.9.15 | 14 / 18 | |
| 2.9.14 | 14 / 18 | |
| 2.9.12 | 14 / 18 | |
| 2.9.11 | 14 / 18 | |
| 2.9.10 | 14 / 18 | |
| 2.9.9 | 14 / 18 | |
| 2.9.8 | 14 / 18 | |
| 2.9.7 | 14 / 18 | |
| 2.9.6 | 14 / 18 | |
| 2.9.5 | 13 / 18 | |
| 2.9.4 | 13 / 18 | |
| 2.9.3 | 13 / 18 | |
| 2.9.2 | 13 / 18 | |
| 2.9.1 | 13 / 18 | |
| 2.9.0 | 12 / 18 | |
| 2.8.21 | 12 / 18 | |
| 2.8.20 | 12 / 18 | |
| 2.8.19 | 12 / 18 | |
| 2.8.18 | 12 / 18 | |
| 2.8.17 | 12 / 18 | |
| 2.8.16 | 12 / 18 | |
| 2.8.15 | 12 / 18 | |
| 2.8.14 | 12 / 18 | |
| 2.8.13 | 12 / 18 | |
| 2.8.12 | 12 / 18 | |
| 2.8.11 | 12 / 18 | |
| 2.8.10 | 12 / 18 | |
| 2.8.9 | 12 / 18 | |
| 2.8.8 | 12 / 18 | |
| 2.8.7 | 12 / 20 | |
| 2.8.6 | 12 / 20 | |
| 2.8.5 | 12 / 20 | |
| 2.8.4 | 12 / 20 | |
| 2.8.3 | 13 / 21 | |
| 2.8.2 | 13 / 21 | |
| 2.7.3 | 14 / 22 | |
| 2.7.2 | 14 / 22 | |
| 2.7.1 | 14 / 22 | |
| 2.7.0 | 14 / 22 | |
| 2.6.3 | 14 / 22 | |
| 2.6.2 | 14 / 22 | |
| 2.6.1 | 14 / 22 | |
| 2.6.0 | 14 / 22 | |
| 2.5.8 | 14 / 22 | |
| 2.5.7 | 14 / 22 | |
| 2.5.6 | 14 / 22 | |
| 2.5.5 | 14 / 22 | |
| 2.5.4 | 14 / 22 | |
| 2.5.3 | 14 / 22 |
v2.9.16
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.15
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.14
6 findingsThis version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.12
6 findingsThis version was published by a different npm account than previous versions on 2026-05-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.11
6 findingsThis version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.10
6 findingsThis version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.3
6 findingsThis version was published by a different npm account than previous versions on 2026-03-31. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.2
6 findingsThis version was published by a different npm account than previous versions on 2026-03-31. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.1
6 findingsThis version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.0
6 findingsThis version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.21
6 findingsThis version was published by a different npm account than previous versions on 2026-03-28. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.20
6 findingsThis version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.19
6 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.18
6 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.17
6 findingsThis version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.16
6 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.15
6 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.14
6 findingsThis version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.13
6 findingsThis version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.12
6 findingsThis version was published by a different npm account than previous versions on 2026-02-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.11
6 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.10
6 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.9
6 findingsThis version was published by a different npm account than previous versions on 2026-02-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.8
6 findingsThis version was published by a different npm account than previous versions on 2026-02-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.7
6 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.6
6 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.5
6 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.4
6 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.3
6 findingsThis version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.2
6 findingsThis version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.3
2 findingsThis version was published by a different npm account than previous versions on 2026-01-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.2
2 findingsThis version was published by a different npm account than previous versions on 2025-12-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.1
2 findingsThis version was published by a different npm account than previous versions on 2025-12-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.3
2 findingsThis version was published by a different npm account than previous versions on 2025-12-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.2
2 findingsThis version was published by a different npm account than previous versions on 2025-12-03. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.