@wix/cli-app — Greenflagged

CLI tool for Wix apps

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

yoavwix-cishahatawixnpmwix-ambassadorwix-ci-publisherwix-bi-publishergalil-teamusability-sessionsyurynixydanivmayacoamitde007haimbrum-wixyoungshinobiethanpshlomitc-wixarielhwix-org-headlessfalconcinadavlacroir-wixdorchaouat

Keywords

wixwix-cli

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:build/chunk-DBFVYZRD.js	AI (source-diff): Bundled CLI tool output; sampled code is React production bundle wrapped in esbuild shims, not malware.	ai	2026/06/05
source-diff	net-exec-file:build/chunk-CYTZ2GB2.js	AI (source-diff): Bundled CLI tool output (tsup/esbuild); network+exec pattern is from bundled deps like EJS, not malware.	ai	2026/06/05
source-diff	net-exec-file:build/chunk-5EFJ7YE4.js	AI (source-diff): Bundled CLI tool output; sampled code is React production bundle wrapped in CJS shims, not dropper malware.	ai	2026/06/05
source-diff	net-exec-file:build/chunk-3UYDGXGU.js	AI (source-diff): Bundled CLI tool output (esbuild/tsup); network+exec pattern is from bundled deps like EJS, not malware.	ai	2026/06/05
source-diff	net-exec-file:build/chunk-IKVSVXI7.js	AI (source-diff): Bundled CLI tool output; network+exec pattern is from bundled deps (ejs, etc.), not malware.	ai	2026/06/04
source-diff	net-exec-file:build/chunk-UWEZ6WEO.js	AI (source-diff): Bundled React/CLI build artifact; sample shows react.production.min.js and ESM shims, not dropper code.	ai	2026/06/04
source-diff	net-exec-file:build/chunk-ZFA2UNLV.js	AI (source-diff): Bundled CLI tool output; sampled code is React production bundle and ESM shims, not malicious.	ai	2026/06/04
source-diff	net-exec-file:build/chunk-HRZBACGI.js	AI (source-diff): Bundled CLI tool output; network+exec pattern is from bundled deps (EJS, etc.), not malware.	ai	2026/06/04
source-diff	net-exec-file:build/chunk-TP5Y2Z7Q.js	AI (source-diff): Bundled third-party libs (EJS, etc.) in esbuild/tsup output; not malware.	ai	2026/06/04
source-diff	net-exec-file:build/chunk-YMZIPZHW.js	AI (source-diff): Bundled React and other deps in standard tsup CommonJS shims; not malware.	ai	2026/06/04
source-diff	net-exec-file:build/chunk-KCQGRTRW.js	AI (source-diff): Bundled EJS/CLI tool build artifact; same false-positive pattern as sibling chunk.	ai	2026/06/03
source-diff	net-exec-file:build/chunk-JPN6KKOW.js	AI (source-diff): Bundled React/CLI tool build artifact; network+exec pattern is from legitimate bundled deps, not malware.	ai	2026/06/03
source-diff	net-exec-file:build/chunk-CCCLG2JI.js	AI (source-diff): Bundled CLI tool output (esbuild/tsup); network+exec pattern is from bundled deps, not malware.	ai	2026/06/03
source-diff	net-exec-file:build/chunk-DDMXHKSN.js	AI (source-diff): Bundled CLI tool output; React and other deps wrapped in CJS shims, not dropper code.	ai	2026/06/03
source-diff	net-exec-file:build/chunk-ZSDFJ7PH.js	AI (source-diff): Bundled EJS/vendor code via tsup; same false-positive pattern as sibling chunk.	ai	2026/06/03
source-diff	net-exec-file:build/chunk-S5XGLJUX.js	AI (source-diff): Bundled React/vendor code via tsup; network+exec pattern is from legitimate bundler shims, not malware.	ai	2026/06/03
source-diff	net-exec-file:build/chunk-V2MHHSRR.js	AI (source-diff): Bundled EJS/CLI source artifact; same false-positive pattern as sibling chunk.	ai	2026/06/03
source-diff	net-exec-file:build/chunk-HPSJVSZT.js	AI (source-diff): Bundled React/Node build artifact from Wix CLI tool; network+exec pattern is from bundled deps, not malware.	ai	2026/06/03
source-diff	net-exec-file:build/chunk-XSS6IVGH.js	AI (source-diff): Bundled EJS/CLI code via tsup; same false-positive pattern as sibling chunk.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-IWFMNFR3.js	AI (source-diff): Bundled React/node_modules code via tsup; network+exec pattern is from legitimate build output, not malware.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-6UH4CYS3.js	AI (source-diff): Bundled React/node_modules code via tsup/vite; standard build artifact for this Wix CLI package.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-UPJ56UVV.js	AI (source-diff): Bundled EJS/CLI utilities via tsup/vite; standard build artifact for this Wix CLI package.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-I5KGEN4M.js	AI (source-diff): Bundled EJS/CLI tool code; same false-positive pattern as sibling chunk.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-5SNSBJNK.js	AI (source-diff): Bundled React/CLI tool code; network+exec pattern is from bundled deps, not malware.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-ALPGGVOI.js	AI (source-diff): Bundled EJS/dependency code via __commonJS wrappers; standard CLI build artifact for this Wix package.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-4MWJVDBY.js	AI (source-diff): Bundled React/dependency code via __commonJS wrappers; standard CLI build artifact for this Wix package.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-HOMQRE7V.js	AI (source-diff): Bundled EJS/CLI utility code in a Wix CLI build artifact; not malware.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-766KRJ2V.js	AI (source-diff): Bundled React/node_modules code in a Wix CLI build artifact; not malware.	ai	2026/06/02
source-diff	net-exec-file:build/chunk-EUAUZCCH.js	AI (source-diff): Bundled React/node_modules build artifact from Wix CLI tool; not malware.	ai	2026/06/01
source-diff	net-exec-file:build/chunk-M2HWGRZ6.js	AI (source-diff): Bundled EJS/CLI source artifact; network+exec pattern is from bundled deps, not malicious code.	ai	2026/06/01
source-diff	net-exec-file:build/chunk-QNUGY2OU.js	AI (source-diff): Bundled React/CLI build artifact; network+exec pattern is from bundled deps, not malware.	ai	2026/05/31
source-diff	net-exec-file:build/chunk-XR4KYUON.js	AI (source-diff): Bundled EJS/CLI build artifact; same false-positive pattern as sibling chunk.	ai	2026/05/31
source-diff	net-exec-file:build/chunk-S3T3SC6X.js	AI (source-diff): Bundled React/library code wrapped in CommonJS shims; not malware. Pattern is stable for this build-tool package.	ai	2026/05/30
source-diff	net-exec-file:build/chunk-UNLKQE2B.js	AI (source-diff): Bundled EJS/CLI library code; same bundler shim pattern as chunk-S3T3SC6X.js. Not malicious.	ai	2026/05/30
source-diff	net-exec-file:build/chunk-ME2V6PXS.js	AI (source-diff): Bundled React/library code in a Wix CLI build artifact; not malware.	ai	2026/05/30
source-diff	net-exec-file:build/chunk-ZEW4BU75.js	AI (source-diff): Bundled EJS/library code in a Wix CLI build artifact; not malware.	ai	2026/05/30
source-diff	net-exec-file:build/chunk-QWNBBECB.js	AI (source-diff): Bundled EJS/CLI tool build artifact; same false-positive pattern as sibling chunk.	ai	2026/05/30
source-diff	net-exec-file:build/chunk-75MOQMO5.js	AI (source-diff): Bundled React/CLI tool build artifact; network+exec pattern is from bundled deps, not malware.	ai	2026/05/30
source-diff	net-exec-file:build/chunk-ZH24B5HA.js	AI (source-diff): Bundled CLI tool output containing React and other well-known deps; not a dropper.	ai	2026/05/30
source-diff	net-exec-file:build/chunk-BJPO274H.js	AI (source-diff): Bundled CLI tool output; network+exec pattern is from bundled deps (EJS, etc.), not malware.	ai	2026/05/30
source-diff	net-exec-file:build/chunk-TMLY5Z35.js	AI (source-diff): Bundled CLI tool output containing React and other deps; standard build artifact for this package.	ai	2026/05/29
source-diff	net-exec-file:build/chunk-SS6XPFFS.js	AI (source-diff): Bundled CLI tool output (tsup/esbuild); network+exec pattern is from bundled deps like EJS, not malware.	ai	2026/05/29
source-diff	net-exec-file:build/chunk-WGK2UMDR.js	AI (source-diff): Bundled EJS/CLI build artifact; same false-positive pattern as sibling chunk.	ai	2026/05/29
source-diff	net-exec-file:build/chunk-UANCDK74.js	AI (source-diff): Bundled React/CLI build artifact; network+exec pattern is from bundled deps, not malware.	ai	2026/05/29
source-diff	net-exec-file:build/chunk-PVUIFNN3.js	AI (source-diff): Bundled CLI tool output; sample shows react production bundle wrapped in CommonJS shims, not dropper code.	ai	2026/05/27
source-diff	net-exec-file:build/chunk-ASWBK3YT.js	AI (source-diff): Bundled CLI tool output with esbuild shims; network+exec pattern is from bundled deps (ejs, etc.), not malware.	ai	2026/05/27
source-diff	net-exec-file:build/chunk-VWFIZYS5.js	AI (source-diff): Bundled build output containing React and other deps; standard CLI tool build artifact.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-KNQPW4OC.js	AI (source-diff): Bundled build output (tsup/esbuild chunks); network+exec pattern is from bundled deps like EJS, not malware.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-JISET5NS.js	AI (source-diff): Bundled esbuild/tsup output with standard npm deps (react); not malware.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-G7YBIDUV.js	AI (source-diff): Bundled esbuild/tsup output with standard npm deps (ejs, react); not malware.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-NBW6QWYU.js	AI (source-diff): Bundled EJS/CLI dependency code in a Wix CLI build artifact; not malware.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-4XRJUYRE.js	AI (source-diff): Bundled React/dependency code in a Wix CLI build artifact; not malware.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-SACTPLTB.js	AI (source-diff): Bundled CLI tool output; sampled code is React production bundle, not dropper/loader.	ai	2026/05/15
source-diff	large-new-source-files	AI (source-diff): Large file count reflects tsup build chunks and source maps; consistent with CLI tool build pipeline.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-B6TYQXQD.js	AI (source-diff): Bundled CLI tool output (tsup/esbuild); sampled code is standard third-party library wrappers, not malware.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-XMB66R6L.js	AI (source-diff): Bundled EJS/library code in a CLI build tool; same false-positive pattern as sibling chunk.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-NBSLOOJ5.js	AI (source-diff): Bundled React/library code in a CLI build tool; network+exec pattern is from bundled deps, not malware.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-2ZCH2YS5.js	AI (source-diff): Bundled third-party libs (EJS, etc.) in esbuild output; not malware.	ai	2026/05/15
source-diff	net-exec-file:build/chunk-E3LGQKNT.js	AI (source-diff): Bundled React and other deps in esbuild/tsup output; standard CLI tool build artifact.	ai	2026/05/15

Versions (showing 34 of 34)

Version	Deps	Published
1.1.208	3 / 72	2026-06-03
1.1.207	3 / 72	2026-06-01
1.1.206	3 / 72	2026-05-27
1.1.205	3 / 72	2026-05-27
1.1.204	3 / 72	2026-05-26
1.1.203	3 / 72	2026-05-26
1.1.202	3 / 72	2026-05-25
1.1.201	3 / 72	2026-05-25
1.1.200	3 / 72	2026-05-24
1.1.199	3 / 72	2026-05-24
1.1.198	3 / 72	2026-05-22
1.1.197	3 / 72	2026-05-20
1.1.196	3 / 72	2026-05-19
1.1.195	3 / 72	2026-05-17
1.1.194	3 / 72	2026-05-17
1.1.193	3 / 72	2026-05-13
1.1.192	3 / 72	2026-05-13
1.1.191	3 / 72	2026-05-13
1.1.190	3 / 72	2026-05-11
1.1.189	3 / 72	2026-05-11
1.1.188	3 / 72	2026-05-11
1.1.187	3 / 72	2026-05-08
1.1.186	3 / 72	2026-05-07
1.1.185	3 / 72	2026-05-07
1.1.184	3 / 72	2026-05-06
1.1.183	3 / 72	2026-05-04
1.1.182	3 / 72	2026-04-30
1.1.181	3 / 72	2026-04-29
1.1.180	3 / 72	2026-04-29
1.1.179	3 / 72	2026-04-28
1.1.178	3 / 72	2026-04-19
1.1.177	3 / 72	2026-04-16
1.1.176	3 / 72	2026-04-15
1.1.175	3 / 72	2026-04-14

v1.1.208

3 findings

HIGH New file with network + code execution: build/chunk-CYTZ2GB2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-DBFVYZRD.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.207

3 findings

HIGH New file with network + code execution: build/chunk-3UYDGXGU.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-5EFJ7YE4.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.206

3 findings

HIGH New file with network + code execution: build/chunk-BJPO274H.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-ZH24B5HA.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.205

3 findings

HIGH New file with network + code execution: build/chunk-S3T3SC6X.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-UNLKQE2B.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.204

3 findings

HIGH New file with network + code execution: build/chunk-SS6XPFFS.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-TMLY5Z35.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.203

3 findings

HIGH New file with network + code execution: build/chunk-TP5Y2Z7Q.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-YMZIPZHW.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.202

3 findings

HIGH New file with network + code execution: build/chunk-QNUGY2OU.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-XR4KYUON.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.201

3 findings

HIGH New file with network + code execution: build/chunk-CCCLG2JI.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-DDMXHKSN.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.200

3 findings

HIGH New file with network + code execution: build/chunk-HPSJVSZT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-V2MHHSRR.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.199

3 findings

HIGH New file with network + code execution: build/chunk-UANCDK74.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-WGK2UMDR.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.198

3 findings

HIGH New file with network + code execution: build/chunk-HRZBACGI.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-ZFA2UNLV.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.197

3 findings

HIGH New file with network + code execution: build/chunk-75MOQMO5.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-QWNBBECB.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.196

3 findings

HIGH New file with network + code execution: build/chunk-EUAUZCCH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-M2HWGRZ6.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.195

3 findings

HIGH New file with network + code execution: build/chunk-4MWJVDBY.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-ALPGGVOI.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.194

3 findings

HIGH New file with network + code execution: build/chunk-JPN6KKOW.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-KCQGRTRW.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.193

3 findings

HIGH New file with network + code execution: build/chunk-KNQPW4OC.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-VWFIZYS5.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.192

3 findings

HIGH New file with network + code execution: build/chunk-B6TYQXQD.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-SACTPLTB.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.191

3 findings

HIGH New file with network + code execution: build/chunk-G7YBIDUV.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-JISET5NS.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.190

3 findings

HIGH New file with network + code execution: build/chunk-ASWBK3YT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-PVUIFNN3.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.189

3 findings

HIGH New file with network + code execution: build/chunk-6UH4CYS3.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-UPJ56UVV.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.188

3 findings

HIGH New file with network + code execution: build/chunk-766KRJ2V.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-HOMQRE7V.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.187

3 findings

HIGH New file with network + code execution: build/chunk-IKVSVXI7.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-UWEZ6WEO.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.186

3 findings

HIGH New file with network + code execution: build/chunk-S5XGLJUX.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-ZSDFJ7PH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.185

3 findings

HIGH New file with network + code execution: build/chunk-5SNSBJNK.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-I5KGEN4M.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.184

3 findings

HIGH New file with network + code execution: build/chunk-ME2V6PXS.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-ZEW4BU75.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.183

3 findings

HIGH New file with network + code execution: build/chunk-IWFMNFR3.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-XSS6IVGH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.182

3 findings

HIGH New file with network + code execution: build/chunk-2ZCH2YS5.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-E3LGQKNT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.181

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.180

3 findings

HIGH New file with network + code execution: build/chunk-4XRJUYRE.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-NBW6QWYU.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.179

3 findings

HIGH New file with network + code execution: build/chunk-NBSLOOJ5.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: build/chunk-XMB66R6L.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.178

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.177

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.176

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.175

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.