@zthun/romulator-web
Romulator frontend
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/assets/index-CBeQBj5p.js | AI (source-diff): Vite-bundled React frontend; fetch calls are modulepreload polyfill, not malicious network+exec pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-nHUlV-0_.js | AI (source-diff): Vite-bundled React frontend; minified output is expected for this web app package. | ai | |
| source-diff | net-exec-file:dist/assets/index-nHUlV-0_.js | AI (source-diff): Network calls and dynamic module loading are standard browser bundle patterns (modulepreload, fetch); no malicious payload. | ai | |
| source-diff | net-exec-file:dist/assets/index-BQrf1M1b.js | AI (source-diff): Vite-bundled frontend asset; fetch calls are modulepreload polyfill, not malicious network+exec pattern. | ai | |
| source-diff | net-exec-file:dist/assets/index-CmYDPIXb.js | AI (source-diff): Network calls and dynamic code in a browser bundle are normal React/Vite app patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CmYDPIXb.js | AI (source-diff): Standard Vite production bundle; minified output is expected for this frontend package. | ai | |
| source-diff | net-exec-file:dist/assets/index-Bvc6l8vJ.js | AI (source-diff): Vite-bundled frontend bundle; network+exec pattern is standard browser polyfill/module loading, not malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-CKd74YMu.js | AI (source-diff): Network calls and dynamic code in a browser SPA bundle are normal; sample shows React runtime, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CKd74YMu.js | AI (source-diff): Standard Vite/React production bundle; minification is expected for this web frontend package. | ai | |
| source-diff | net-exec-file:dist/assets/index-DscDEeqF.js | AI (source-diff): Network calls are browser fetch for modulepreload; no dynamic code execution beyond normal React bundle patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DscDEeqF.js | AI (source-diff): Vite-bundled React SPA output; minification is expected for this web frontend package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D8ZGfkPQ.js | AI (source-diff): Vite-minified React SPA bundle; minification is expected for this web frontend package. | ai | |
| source-diff | net-exec-file:dist/assets/index-D8ZGfkPQ.js | AI (source-diff): fetch() calls are browser modulepreload polyfill; no server-side dropper behavior present. | ai | |
| source-diff | net-exec-file:dist/assets/index-Dtk2L-Bc.js | AI (source-diff): Network calls are browser fetch for modulepreload; no dynamic code execution beyond normal React runtime. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Dtk2L-Bc.js | AI (source-diff): Standard Vite minified bundle for a React SPA; not obfuscated malware. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size reduction consistent with Vite build optimization/tree-shaking, not stub replacement. | ai | |
| source-diff | net-exec-file:dist/assets/index-DUOIpN_h.js | AI (source-diff): Vite-bundled frontend SPA asset; network calls are modulepreload polyfill fetch, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/assets/index-Dsf8H9t4.js | AI (source-diff): Vite-bundled frontend SPA asset; modulepreload polyfill + fetch is standard build output, not malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C6fv_IdF.js | AI (source-diff): Standard Vite/React production bundle; minification is expected for this frontend package. | ai | |
| source-diff | net-exec-file:dist/assets/index-C6fv_IdF.js | AI (source-diff): Network calls and dynamic patterns are browser-standard React SPA behavior, not dropper malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-Com8X0qx.js | AI (source-diff): Vite-bundled frontend output; fetch calls are modulepreload polyfill, not dropper behavior. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-GdtABegS.js | AI (source-diff): Vite-bundled frontend bundle; network calls are modulepreload polyfill fetch, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/assets/index-DL1fUzQ4.js | AI (source-diff): Vite-bundled React frontend; network calls are fetch/modulepreload polyfill, not exfiltration or dropper behavior. | ai | |
| source-diff | net-exec-file:dist/assets/index-txWYEq5v.js | AI (source-diff): Network calls are browser fetch for modulepreload; no dynamic code execution beyond normal React runtime. | ai | |
| source-diff | obfuscated-file:dist/assets/index-txWYEq5v.js | AI (source-diff): Standard Vite minified bundle for a React SPA; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-Dl0pX58K.js | AI (source-diff): Vite-bundled SPA asset; fetch calls are modulepreload polyfill, not malicious network execution. | ai | |
| source-diff | net-exec-file:dist/assets/index-BO4ogTAe.js | AI (source-diff): Vite-bundled React frontend; fetch() usage is the standard modulepreload polyfill, not a dropper. | ai | |
| source-diff | net-exec-file:dist/assets/index-zPM2qNY2.js | AI (source-diff): Network calls are fetch() for modulepreload; dynamic code is standard React/Vite bundle patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-zPM2qNY2.js | AI (source-diff): Vite-bundled SPA output; minified but not obfuscated. Stable pattern for this frontend package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BImCVu5p.js | AI (source-diff): Network calls are browser fetch() for modulepreload; no dropper pattern present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BImCVu5p.js | AI (source-diff): Vite-bundled frontend output; minified but readable React/browser code, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-CZMAQ_HC.js | AI (source-diff): Network calls are browser fetch for modulepreload; no dropper behavior present in this frontend bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CZMAQ_HC.js | AI (source-diff): Vite build output; minified frontend bundle is expected for this web app package. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 1.20.0 | 0 / 26 | |
| 1.19.0 | 0 / 25 | |
| 1.18.5 | 0 / 25 | |
| 1.18.4 | 0 / 25 | |
| 1.18.3 | 0 / 25 | |
| 1.18.2 | 0 / 24 | |
| 1.18.1 | 0 / 24 | |
| 1.18.0 | 0 / 24 | |
| 1.17.0 | 0 / 24 | |
| 1.16.0 | 0 / 24 | |
| 1.15.0 | 0 / 24 | |
| 1.14.1 | 0 / 24 | |
| 1.14.0 | 0 / 24 | |
| 1.13.0 | 0 / 24 | |
| 1.12.0 | 0 / 24 | |
| 1.11.0 | 0 / 23 | |
| 1.10.0 | 0 / 23 | |
| 1.8.0 | 0 / 23 | |
| 1.7.1 | 0 / 23 | |
| 1.7.0 | 0 / 23 | |
| 1.6.0 | 0 / 23 | |
| 1.5.0 | 0 / 23 | |
| 1.4.0 | 0 / 23 | |
| 1.3.5 | 0 / 23 | |
| 1.3.4 | 0 / 23 | |
| 1.3.3 | 0 / 23 | |
| 1.3.2 | 0 / 25 | |
| 1.3.1 | 0 / 25 | |
| 1.3.0 | 0 / 25 | |
| 1.2.0 | 0 / 25 | |
| 1.1.0 | 0 / 25 |
v1.20.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.5
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.3
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.