@webitel/ui-sdk
Main lib
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/install-DJFUeaKV.js | AI (source-diff): Vite-bundled Vue component library output; long lines are minified build artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-C4k-DhDC.js | AI (source-diff): Minified table component chunk; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-DGdwU4In.js | AI (source-diff): Minified error page chunk with inline SVG; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-sXbqwELW.js | AI (source-diff): Minified chunk with inline SVG data URIs; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-BlNdCD8_.js | AI (source-diff): Minified emoji-picker chunk; standard build output. | ai | |
| source-diff | net-exec-file:dist/install-DJFUeaKV.js | AI (source-diff): False positive on bundled Vue app code with standard fetch/dynamic-import patterns. | ai | |
| source-diff | obfuscated-file:dist/install-BuMO14Rb.js | AI (source-diff): Standard Vite minified bundle; long lines are normal for this package's dist output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-Dh0I10zQ.js | AI (source-diff): Long lines are URL-encoded SVG data in a standard Vite bundle. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-DeqGCW4M.js | AI (source-diff): Long lines are URL-encoded SVG data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-6IZXyyQv.js | AI (source-diff): Minified Vite chunk; emoji CDN URL is from emoji-picker-element dependency, not malicious. | ai | |
| source-diff | net-exec-file:dist/install-BuMO14Rb.js | AI (source-diff): Network calls and dynamic code in Vue component bundles are expected for this UI SDK. | ai | |
| source-diff | obfuscated-file:dist/install-MeHxIEWi.js | AI (source-diff): Standard Vite-minified bundle for a Vue UI SDK; content shows normal Vue/ESM imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-fD1n6Ca8.js | AI (source-diff): Long lines are URL-encoded SVG path data for error page illustration, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-BJqC03G2.js | AI (source-diff): Long lines are URL-encoded SVG data, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-gtRYtqkJ.js | AI (source-diff): Minified emoji-picker-element bundle; content is clearly emoji picker IndexedDB logic, not malicious. | ai | |
| source-diff | net-exec-file:dist/install-MeHxIEWi.js | AI (source-diff): Network calls and dynamic code in bundled Vue UI SDK are expected (fetch for emoji data, dynamic component loading). | ai | |
| source-diff | net-exec-file:dist/install-Uz_WcuKf.js | AI (source-diff): Network call is emoji-picker CDN fetch (jsdelivr); no dynamic code execution beyond normal Vue runtime. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-DYdNWZch.js | AI (source-diff): Vite bundle chunk with URL-encoded SVG path data; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-S6P5IFvl.js | AI (source-diff): Vite bundle chunk with URL-encoded SVG; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-CtvAfq9L.js | AI (source-diff): Vite bundle chunk for emoji picker component; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/install-Uz_WcuKf.js | AI (source-diff): Standard Vite-bundled Vue component chunk; minification triggers rule but content is benign. | ai | |
| source-diff | net-exec-file:dist/install-MwLwnvU6.js | AI (source-diff): Network call is emoji-picker-element fetching CDN emoji data; no dynamic code execution of remote content. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-nil4zmk5.js | AI (source-diff): Minified Vite chunk with URL-encoded SVG error page graphic; normal build output. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-CjuwwVGB.js | AI (source-diff): Minified Vite chunk containing URL-encoded SVG; normal build output. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-DYXEUfIV.js | AI (source-diff): Minified Vite chunk for emoji picker component; normal build output. | ai | |
| source-diff | obfuscated-file:dist/install-MwLwnvU6.js | AI (source-diff): Standard Vite minified bundle for a Vue UI SDK; long lines are normal minification output. | ai | |
| source-diff | net-exec-file:dist/install-D-fDpH8o.js | AI (source-diff): Network calls are emoji CDN data fetches; dynamic code execution is Vue's runtime rendering — no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-C-UOZm82.js | AI (source-diff): URL-encoded SVG error page illustration in minified Vue component; normal build output. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-CXxTx5PV.js | AI (source-diff): URL-encoded SVG assets in minified Vue component; normal build output. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-7BCR-KNF.js | AI (source-diff): Minified emoji-picker-element bundle; matches declared emoji-picker-element dependency. | ai | |
| source-diff | obfuscated-file:dist/install-D-fDpH8o.js | AI (source-diff): Standard Vite bundle of Vue UI components; minified lines are normal build output for this SDK. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-DamPrF3N.js | AI (source-diff): Vite bundle with inline SVG data URI; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-B3gopWBB.js | AI (source-diff): Vite bundle with inline SVG; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-CQ2r3NMw.js | AI (source-diff): Vite bundle with inline SVG data URI; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-DlCyrANh.js | AI (source-diff): Vite-bundled emoji picker component; minified but readable Vue/IndexedDB logic. | ai | |
| source-diff | net-exec-file:dist/install-PDJJDxnH.js | AI (source-diff): Network call is emoji CDN data fetch; no dynamic code execution beyond normal Vue rendering. | ai | |
| source-diff | obfuscated-file:dist/install-PDJJDxnH.js | AI (source-diff): Standard Vite build output; minified Vue component bundle, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/install-Bmdyhhbh.js | AI (source-diff): Standard Vite-minified Vue component bundle; readable imports and logic confirm no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-DIbLIafL.js | AI (source-diff): Minified Vue error-page component with inline SVG; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-CdSPx66Q.js | AI (source-diff): Minified Vue component with inline SVG data URI; no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-9hQfRr7G.js | AI (source-diff): Minified emoji-picker component bundle; readable Vue imports and IndexedDB logic. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-CD4EplxA.js | AI (source-diff): Minified Vue table component; readable imports confirm standard build artifact. | ai | |
| source-diff | net-exec-file:dist/install-Bmdyhhbh.js | AI (source-diff): Network calls are emoji CDN fetches; dynamic code execution is standard Vue reactivity patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-CUtTN1q_.js | AI (source-diff): Minified emoji-picker component bundle; long lines are normal minifier output. | ai | |
| source-diff | obfuscated-file:dist/install-a-C0Uz5X.js | AI (source-diff): Standard Vite-minified bundle of Vue UI components; long lines are normal minifier output. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-BWDKZosT.js | AI (source-diff): Minified Vue table component; long lines are normal minifier output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-B4pbqoOI.js | AI (source-diff): Minified Vue error-page component with URL-encoded SVG; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-DuLtIKMP.js | AI (source-diff): Minified Vue component with URL-encoded SVG inline data; normal build artifact. | ai | |
| source-diff | net-exec-file:dist/install-a-C0Uz5X.js | AI (source-diff): Network call is emoji-picker CDN fetch (jsdelivr); no dynamic code execution beyond normal Vue runtime. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-5n_9FKhp.js | AI (source-diff): Vite-bundled emoji picker component; minification triggers rule, no malicious content. | ai | |
| source-diff | obfuscated-file:dist/install-BUa1vI9s.js | AI (source-diff): Standard Vite-bundled Vue component output; minification triggers rule but no malicious content. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-bC1IdvdS.js | AI (source-diff): Vite-bundled table component with URL-encoded SVG; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-DfUOuTIJ.js | AI (source-diff): Vite-bundled error page component with URL-encoded SVG; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-C3F8UALY.js | AI (source-diff): Vite-bundled component with URL-encoded SVG assets; standard build output. | ai | |
| source-diff | net-exec-file:dist/install-BUa1vI9s.js | AI (source-diff): Network call is emoji-picker CDN fetch; dynamic code execution is Vue's runtime rendering — normal UI SDK behavior. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-B2TUUnF-.js | AI (source-diff): Vite-minified emoji picker component; long lines are bundled output. | ai | |
| source-diff | obfuscated-file:dist/install-BNNJFRDJ.js | AI (source-diff): Standard Vite-minified Vue bundle; long lines are normal for bundled output. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-DQtoij8i.js | AI (source-diff): URL-encoded SVG inline data causes long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-CJxYSeu-.js | AI (source-diff): URL-encoded SVG inline data causes long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-Bjw8UxPk.js | AI (source-diff): URL-encoded SVG inline data causes long lines; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/install-BNNJFRDJ.js | AI (source-diff): Network calls are Vue component data fetches (emoji CDN); no dynamic code execution pattern. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-DVn93O_A.js | AI (source-diff): Minified Vite chunk with inline SVG data URI; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/install-BPGa7xcr.js | AI (source-diff): Standard Vite build output (minified Vue component bundle); not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/install-BPGa7xcr.js | AI (source-diff): Network calls and dynamic code in Vite bundle are normal Vue/component library patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-CqVmODXu.js | AI (source-diff): Minified Vite chunk; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-DzpLr_VF.js | AI (source-diff): Minified Vite chunk with inline SVG data URI; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-BzJxFQX-.js | AI (source-diff): Minified Vite chunk for emoji-picker component; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-Btmg48Xk.js | AI (source-diff): Minified Vue component with URL-encoded SVG; standard build output. | ai | |
| source-diff | obfuscated-file:dist/install-Sbp7aowq.js | AI (source-diff): Standard Vite-bundled Vue UI library chunk; minified but not obfuscated, readable Vue imports visible. | ai | |
| source-diff | net-exec-file:dist/install-Sbp7aowq.js | AI (source-diff): Network calls are emoji CDN fetch (jsdelivr); no dynamic code execution beyond normal Vue runtime patterns. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-BMQfL9X3.js | AI (source-diff): Minified emoji-picker-element bundle; standard build output for this UI SDK. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-zL3IkviW.js | AI (source-diff): Minified Vue component with URL-encoded SVG; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-D2niYDeI.js | AI (source-diff): Minified Vue component; standard build output for this UI SDK. | ai | |
| source-diff | obfuscated-file:dist/install-rysuPEjF.js | AI (source-diff): Standard Vite bundle chunk; minified Vue component code, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/install-rysuPEjF.js | AI (source-diff): Network calls and dynamic code in a UI SDK bundle are normal Vue/fetch patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-Rt-F9oVv.js | AI (source-diff): Minified Vite chunk with inline SVG; normal UI component bundle. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-DHdJccrG.js | AI (source-diff): Minified Vite chunk with inline SVG data URI; no malicious content. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-D_4QMhH7.js | AI (source-diff): Minified Vite chunk for emoji picker component; sample shows legitimate emoji-picker-element IndexedDB code. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-CPacgsbN.js | AI (source-diff): Minified Vite chunk; sample shows standard Vue component with inline SVG. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-CrbQHj7e.js | AI (source-diff): URL-encoded SVG inline data causes long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-C4AY_Nyy.js | AI (source-diff): URL-encoded SVG inline data causes long lines; standard Vite build output. | ai | |
| source-diff | obfuscated-file:dist/install-b3LF2l6e.js | AI (source-diff): Standard Vite bundle of Vue components; long lines are minified JS, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/install-b3LF2l6e.js | AI (source-diff): Network call is emoji-picker-element fetching CDN data; no dynamic code execution beyond normal Vue rendering. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-8kgugJp3.js | AI (source-diff): Vite-bundled emoji picker component; minified lines are expected build output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-C6Ffq5UN.js | AI (source-diff): URL-encoded SVG inline data causes long lines; standard Vite build output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-Bfzt7YQO.js | AI (source-diff): Minified Vite bundle with URL-encoded SVG error page; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-DHEaw92W.js | AI (source-diff): Minified Vite bundle; normal build artifact. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publisher with SLSA provenance attestation is a legitimate supply chain improvement. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-TCGzXQUx.js | AI (source-diff): Minified Vite bundle with URL-encoded SVG; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-BEPJGh0L.js | AI (source-diff): Minified Vite bundle for emoji picker component; normal build artifact. | ai | |
| source-diff | net-exec-file:dist/install-CrhatfOO.js | AI (source-diff): Network call is emoji data CDN fetch (jsdelivr); no dynamic code execution pattern present. | ai | |
| source-diff | obfuscated-file:dist/install-CrhatfOO.js | AI (source-diff): Standard Vite-minified Vue component bundle; long lines are minified JS, not obfuscation. | ai | |
| dependencies | unvetted-peer-dep:jszip-utils | AI (dependencies): Optional peer dep for file handling; already accepted in prior versions. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-1PQXgyFT.js | AI (source-diff): Minified Vite bundle; content is Vue component with URL-encoded SVG. | ai | |
| source-diff | obfuscated-file:dist/install-Dq6Xzj7N.js | AI (source-diff): Standard Vite-minified bundle for a Vue UI SDK; long lines are normal bundler output. | ai | |
| source-diff | net-exec-file:dist/install-Dq6Xzj7N.js | AI (source-diff): Network calls are emoji-picker CDN data fetches; dynamic execution is Vue runtime patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-DlcRu7FP.js | AI (source-diff): Minified Vite bundle; content is emoji-picker-element component code. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-C6iAgiXM.js | AI (source-diff): Minified Vite bundle; content is URL-encoded SVG assets and Vue component code. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-Bfl_LRhh.js | AI (source-diff): Minified Vite bundle; content is URL-encoded SVG error page assets. | ai | |
| source-diff | obfuscated-file:dist/install-BCOGjWv4.js | AI (source-diff): Standard Vite-minified Vue bundle; readable imports from 'vue', no actual obfuscation. | ai | |
| source-diff | net-exec-file:dist/install-BCOGjWv4.js | AI (source-diff): Network calls are CDN fetches for emoji data; no dynamic code execution beyond normal Vue runtime patterns. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-BbcSpHw0.js | AI (source-diff): Minified Vite bundle for emoji picker component; readable Vue imports, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-CmcHeJ67.js | AI (source-diff): Minified Vite bundle with inline SVG data URI; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-zxeVvway.js | AI (source-diff): Minified Vite bundle with inline SVG; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-CV2ViLFe.js | AI (source-diff): Minified Vite bundle; standard build output. | ai | |
| dependencies | unvetted-dep:emoji-picker-element | AI (dependencies): emoji-picker-element is a standard web component; aligns with new wt-chat-emoji dist file in this version. | ai | |
| dependencies | unvetted-dep:xlsx | AI (dependencies): xlsx is a widely-used spreadsheet library; its use is consistent with this SDK's file-export functionality. | ai | |
| source-diff | net-exec-file:dist/install-Bd5HfFTV.js | AI (source-diff): Network refs are CDN emoji data URLs; dynamic code is Vue reactivity internals, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-DaGMSlL1.js | AI (source-diff): Minified Vue component; standard Vite build output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-BMpoQdQl.js | AI (source-diff): Minified Vue component with inline SVG data URIs; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-OrcannPM.js | AI (source-diff): Minified Vue component with inline SVG data URIs; standard build output. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-CUjHxdzV.js | AI (source-diff): Minified emoji-picker-element bundle; expected for this dependency. | ai | |
| source-diff | obfuscated-file:dist/install-Bd5HfFTV.js | AI (source-diff): Standard Vite minified bundle output for a Vue UI SDK; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/install-BjjBYpbl.js | AI (source-diff): Standard Vite-minified bundle for a Vue UI SDK; long lines are minified JS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-DrcFp4Wl.js | AI (source-diff): Vite-minified lazy chunk; sample shows standard Vue component imports. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-IIP3rusg.js | AI (source-diff): Vite-minified lazy chunk; sample shows standard Vue component with inline SVG data URI. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-BF8MnBYQ.js | AI (source-diff): Vite-minified lazy chunk; sample shows standard Vue component with inline SVG data URI. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-CcTec-mP.js | AI (source-diff): Vite-minified lazy chunk for emoji picker component; sample shows normal Vue imports. | ai | |
| source-diff | net-exec-file:dist/install-BjjBYpbl.js | AI (source-diff): Network calls and dynamic code in a UI SDK bundle are normal Vue/browser patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-D1USdwE4.js | AI (source-diff): URL-encoded SVG data causes long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-CCESyhxX.js | AI (source-diff): URL-encoded SVG data causes long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-9EjvdKqd.js | AI (source-diff): URL-encoded SVG data causes long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-BpXv6NqV.js | AI (source-diff): Minified emoji-picker-element bundle; readable logic visible in sample. | ai | |
| source-diff | net-exec-file:dist/install-Btsl7J6C.js | AI (source-diff): Network calls are emoji CDN fetches; dynamic code execution is Vue's runtime rendering — no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/install-Btsl7J6C.js | AI (source-diff): Standard Vite-minified Vue bundle; long lines are normal build output for this UI SDK. | ai | |
| provenance | no-provenance | AI (provenance): Large established SDK; lack of provenance is consistent across its 2000+ version history. | ai | |
| source-diff | net-exec-file:dist/install-uRNiMbqp.js | AI (source-diff): Network call is emoji CDN fetch; no dynamic code execution beyond normal Vue runtime. | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-D6LkZ5Mu.js | AI (source-diff): Minified Vue table component; sample shows normal Vue composable patterns. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-CNwzDAa5.js | AI (source-diff): Minified error-page component with URL-encoded SVG; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-nq43ktii.js | AI (source-diff): Minified Vue component with URL-encoded SVG asset; benign build output. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-BlKZydZ3.js | AI (source-diff): Minified emoji-picker component bundle; sample shows IndexedDB/emoji logic, not malware. | ai | |
| source-diff | obfuscated-file:dist/install-uRNiMbqp.js | AI (source-diff): Standard Vite minified bundle; Vue imports and normal JS patterns visible in sample. | ai | |
| source-diff | net-exec-file:dist/install-BTw4h6La.js | AI (source-diff): Network calls and dynamic code in a UI SDK bundle are expected (fetch for emoji data, dynamic component loading). | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-D3oCCDNW.js | AI (source-diff): Minified Vue component; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-ND0BquL3.js | AI (source-diff): Minified Vue error-page component with URL-encoded SVG; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-CQoomGSQ.js | AI (source-diff): Minified Vue component with URL-encoded SVG; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-CPpRiG3z.js | AI (source-diff): Minified emoji-picker-element bundle; CDN URL for emoji data is documented upstream behavior. | ai | |
| source-diff | obfuscated-file:dist/install-BTw4h6La.js | AI (source-diff): Standard Vite-minified bundle; Vue imports and normal JS patterns visible in sample. | ai | |
| source-diff | net-exec-file:dist/install-B0iOKX0v.js | AI (source-diff): Network calls and dynamic code in a UI SDK bundle are expected (fetch for emoji data, dynamic Vue component loading). | ai | |
| source-diff | obfuscated-file:dist/wt-table-column-select-ClA_A3dE.js | AI (source-diff): Standard Vite-minified Vue component with SVG data; benign. | ai | |
| source-diff | obfuscated-file:dist/wt-error-page-BklEfHeX.js | AI (source-diff): URL-encoded SVG paths in a minified Vue component; no malicious content. | ai | |
| source-diff | obfuscated-file:dist/wt-dummy-BCaleMs_.js | AI (source-diff): Contains URL-encoded SVG data and Vue component code; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/wt-chat-emoji-zXNZdzpq.js | AI (source-diff): Minified emoji-picker-element bundle; content matches the declared emoji-picker-element dependency. | ai | |
| source-diff | obfuscated-file:dist/install-B0iOKX0v.js | AI (source-diff): Standard Vite bundle chunk with readable Vue imports; minification triggers the rule but no obfuscation present. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): Referenced in vite/tailwind config files, not a runtime import; stable false positive. | ai | |
| phantom-deps | phantom-dep:@vuepic/vue-datepicker | AI (phantom-deps): Lazily imported UI component; stable false positive. | ai | |
| phantom-deps | phantom-dep:@morev/vue-transitions | AI (phantom-deps): Lazily imported UI component; stable false positive. | ai | |
| phantom-deps | phantom-dep:emoji-picker-element | AI (phantom-deps): Lazily imported UI component; stable false positive. | ai | |
| phantom-deps | phantom-dep:path-browserify | AI (phantom-deps): Polyfill referenced in build config; stable false positive. | ai | |
| phantom-deps | phantom-dep:autosize | AI (phantom-deps): Build-tool/config reference in a large UI SDK; stable false positive. | ai | |
| phantom-deps | phantom-dep:@floating-ui/vue | AI (phantom-deps): UI library dep used indirectly via component wrappers; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/vite | AI (phantom-deps): Vite plugin referenced in build config; stable false positive. | ai |
Versions (showing 35 of 35)
| Version | Deps | Published |
|---|---|---|
| 26.6.9 | 22 / 46 | |
| 26.6.8 | 22 / 46 | |
| 26.6.6 | 22 / 46 | |
| 26.6.2 | 22 / 46 | |
| 26.4.81 | 22 / 46 | |
| 26.4.80 | 22 / 46 | |
| 26.4.78 | 22 / 46 | |
| 26.4.77 | 22 / 46 | |
| 26.4.71 | 22 / 46 | |
| 26.4.70 | 22 / 46 | |
| 26.4.63 | 22 / 46 | |
| 26.4.62 | 22 / 46 | |
| 26.4.60 | 22 / 46 | |
| 26.4.59 | 22 / 46 | |
| 26.4.58 | 22 / 46 | |
| 26.4.57 | 22 / 46 | |
| 26.4.56 | 22 / 46 | |
| 26.4.55 | 22 / 46 | |
| 26.4.51 | 22 / 46 | |
| 26.4.50 | 22 / 46 | |
| 26.4.47 | 22 / 46 | |
| 26.4.44 | 22 / 46 | |
| 26.4.42 | 22 / 46 | |
| 26.4.41 | 22 / 46 | |
| 26.4.33 | 22 / 46 | |
| 26.4.31 | 22 / 46 | |
| 26.4.29 | 22 / 46 | |
| 26.4.25 | 22 / 46 | |
| 26.4.22 | 22 / 46 | |
| 26.4.21 | 22 / 46 | |
| 26.4.20 | 22 / 46 | |
| 26.4.14 | 22 / 45 | |
| 26.4.13 | 22 / 45 | |
| 26.2.145 | 22 / 45 | |
| 26.2.144 | 22 / 45 |
v26.6.9
8 findingsThis version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.6.8
8 findingsThis version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.6.6
8 findingsThis version was published by a different npm account than previous versions on 2026-05-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.6.2
8 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.4.81
8 findingsThis version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.4.80
8 findingsThis version was published by a different npm account than previous versions on 2026-05-22. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.4.78
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.77
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.71
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.70
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.63
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.62
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.60
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.59
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.58
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.57
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.56
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.55
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.51
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.50
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.47
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.44
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.42
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.41
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.33
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.2.145
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.2.144
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.