@wisemen/wise-crm-web — Greenflagged

CRM frontend package with Vue 3 components, composables and types

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wouter.appwisekobe-kwanten-wisemenjorenvandeweyerrobbe95fullmetaljsmaartensijmkenswisemen-sysopspeethadaanpersoonsjonasvannieuwenhuijsenyuhanghujonasbeckerssebastiaanvanspauwenjeroen-vc

Keywords

vuevue3crmcomponentstypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/AppSkeletonLoader-DVZ-oKgW.js	AI (source-diff): Standard Vite/Rollup minified bundle output for a Vue component library; not malicious obfuscation.	ai	2026/05/30
source-diff	obfuscated-file:dist/CrmDetailContainer-BhE9TeRa.js	AI (source-diff): Standard Vite/Rollup minified bundle output for a Vue component library; not malicious obfuscation.	ai	2026/05/30
source-diff	obfuscated-file:dist/Error-za-wClcU.js	AI (source-diff): Minified Vite bundle output; long lines are standard bundler output, not obfuscation.	ai	2026/05/30
source-diff	net-exec-file:dist/CrmDetailHeaderCard-BkA0Z-Cu.js	AI (source-diff): Vite-bundled Vue component; network calls are API client imports, dynamic execution is Vue's resolveDynamicComponent — not malware.	ai	2026/05/30
source-diff	obfuscated-file:dist/AppSkeletonLoader-BMX-bVc3.js	AI (source-diff): Standard Vite/Rollup minified bundle output for a Vue component library; not obfuscation.	ai	2026/05/30
source-diff	obfuscated-file:dist/CrmDetailContainer-gk5K7eQn.js	AI (source-diff): Standard Vite/Rollup minified bundle output for a Vue component library; not obfuscation.	ai	2026/05/30
source-diff	obfuscated-file:dist/Error-CX6APxDX.js	AI (source-diff): Standard Vite/Rollup minified bundle output; readable imports confirm legitimate build artifact.	ai	2026/05/29
provenance	no-provenance	AI (provenance): Internal org package; provenance not configured in their publish pipeline, stable false positive.	ai	2026/05/25
source-diff	obfuscated-file:dist/SettingsIcon-CWFwJelS.js	AI (source-diff): Minified SVG icon component bundle; content is clearly a settings gear icon, not obfuscated malware.	ai	2026/05/20
source-diff	net-exec-file:dist/CrmDetailHeaderCard-CacrRk2b.js	AI (source-diff): Standard Vite-bundled Vue component; imports are from known deps (vue, zod, vue-router), no actual dropper pattern.	ai	2026/05/20
source-diff	obfuscated-file:dist/Error-D6dRLq_g.js	AI (source-diff): Minified Vite bundle output; long lines are normal for bundled Vue/TS libraries, not obfuscation.	ai	2026/05/20
phantom-deps	phantom-dep:@vueuse/router	AI (phantom-deps): Config-referenced dep; stable false positive for this package.	ai	2026/05/16
phantom-deps	phantom-dep:reka-ui	AI (phantom-deps): Vue component library re-exports deps via config; not a real phantom-dep issue.	ai	2026/05/16
phantom-deps	phantom-dep:motion-v	AI (phantom-deps): Same pattern — config-referenced dep in a Vue component library.	ai	2026/05/16
phantom-deps	phantom-dep:@vueuse/core	AI (phantom-deps): Config-referenced dep; stable false positive for this package.	ai	2026/05/16
phantom-deps	phantom-dep:@tiptap/vue-3	AI (phantom-deps): Config-referenced dep; stable false positive for this package.	ai	2026/05/16
phantom-deps	phantom-dep:@tiptap/starter-kit	AI (phantom-deps): Config-referenced dep; stable false positive for this package.	ai	2026/05/16
phantom-deps	phantom-dep:@number-flow/vue	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16
phantom-deps	phantom-dep:@tiptap/extension-text-style	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16
phantom-deps	phantom-dep:@googlemaps/js-api-loader	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16
phantom-deps	phantom-dep:@tiptap/extension-color	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16
phantom-deps	phantom-dep:libphonenumber-js	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16
phantom-deps	phantom-dep:vue3-google-map	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16
phantom-deps	phantom-dep:@tiptap/pm	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16
phantom-deps	phantom-dep:dompurify	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16
phantom-deps	phantom-dep:blurhash	AI (phantom-deps): Component library dependency referenced in config; not a direct import by design.	ai	2026/05/16

Versions (showing 16 of 16)

Version	Deps	Published
1.3.1	15 / 22	2026-06-04
1.3.0	15 / 22	2026-05-19
1.2.0	15 / 22	2026-04-30
1.1.0	15 / 22	2026-04-10
1.0.0	15 / 22	2026-03-05
0.2.5	15 / 22	2026-02-26
0.2.4	15 / 22	2026-02-26
0.2.3	15 / 22	2026-02-16
0.0.9	18 / 14	2025-12-04
0.0.8	18 / 14	2025-12-02
0.0.6	18 / 14	2025-12-01
0.0.5	18 / 14	2025-11-24
0.0.4	18 / 14	2025-11-24
0.0.3	18 / 14	2025-11-21
0.0.2	18 / 14	2025-11-21
0.0.1	18 / 14	2025-11-21

v1.3.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

4 findings

HIGH New file with network + code execution: dist/CrmDetailHeaderCard-CacrRk2b.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/Error-D6dRLq_g.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/SettingsIcon-CWFwJelS.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

3 findings

HIGH New file with network + code execution: dist/CrmDetailHeaderCard-BkA0Z-Cu.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/Error-za-wClcU.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.5

2 findings

HIGH New obfuscated file: dist/Error-CX6APxDX.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.4

2 findings

HIGH New obfuscated file: dist/Error-CX6APxDX.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.9

3 findings

HIGH New obfuscated file: dist/AppSkeletonLoader-BMX-bVc3.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/CrmDetailContainer-gk5K7eQn.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.8

3 findings

HIGH New obfuscated file: dist/AppSkeletonLoader-DVZ-oKgW.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/CrmDetailContainer-BhE9TeRa.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.