freestyle-sandboxes
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established package with long track record; absence of provenance is common and not a risk signal here. | ai | |
| source-diff | obfuscated-file:dist/types.gen-CG8tIO9M.d.ts | AI (source-diff): Generated OpenAPI TypeScript declaration file; long lines are type unions, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/types.gen-BWwhCgTX.d.ts | AI (source-diff): Generated OpenAPI TypeScript declaration file; long lines are type unions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/types.gen-CWa4Mw0J.d.ts | AI (source-diff): Generated OpenAPI TypeScript declaration file; long lines are type unions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/types.gen-DkFlXKTr.d.ts | AI (source-diff): Generated OpenAPI TypeScript declaration file; long lines are type unions, not obfuscation. | ai | |
| dependencies | unvetted-dep:openapi | AI (dependencies): openapi dep is phantom (not directly imported); used only as a build-time codegen tool reference in scripts. | ai | |
| phantom-deps | phantom-dep:freestyle-sandboxes | AI (phantom-deps): Self-referential dependency for peer/config use; stable false positive. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): File-loader pattern in expo internals; requires file paths by extension check, not user-controlled arbitrary input. | ai | |
| phantom-deps | phantom-dep:openai | AI (phantom-deps): Config/type-level reference only; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:openapi | AI (phantom-deps): Referenced in config files only (openapi-ts script); stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Framework-scoped type package loaded by convention; stable false positive. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Fires on spawn('open', [url]) — standard macOS browser-open pattern, not malicious. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same spawn('open', [url]) browser-open pattern; stable false positive for this package. | ai |
Versions (showing 51 of 79)
| Version | Deps | Published |
|---|---|---|
| 0.1.46 | 0 / 0 | |
| 0.1.45 | 0 / 0 | |
| 0.1.44 | 0 / 0 | |
| 0.1.43 | 0 / 0 | |
| 0.1.42 | 0 / 0 | |
| 0.1.41 | 0 / 0 | |
| 0.1.40 | 0 / 0 | |
| 0.1.39 | 0 / 0 | |
| 0.1.38 | 0 / 0 | |
| 0.1.37 | 0 / 0 | |
| 0.1.36 | 0 / 0 | |
| 0.1.35 | 0 / 0 | |
| 0.1.34 | 0 / 0 | |
| 0.1.33 | 0 / 0 | |
| 0.1.32 | 0 / 0 | |
| 0.1.31 | 0 / 0 | |
| 0.1.30 | 0 / 0 | |
| 0.1.29 | 0 / 0 | |
| 0.1.28 | 0 / 0 | |
| 0.1.27 | 0 / 0 | |
| 0.1.26 | 0 / 0 | |
| 0.1.25 | 0 / 0 | |
| 0.1.24 | 0 / 0 | |
| 0.1.23 | 0 / 0 | |
| 0.1.22 | 0 / 0 | |
| 0.1.21 | 0 / 0 | |
| 0.1.20 | 0 / 0 | |
| 0.1.19 | 0 / 0 | |
| 0.1.18 | 0 / 0 | |
| 0.1.17 | 0 / 0 | |
| 0.1.16 | 0 / 0 | |
| 0.1.15 | 0 / 0 | |
| 0.1.14 | 0 / 0 | |
| 0.1.13 | 0 / 0 | |
| 0.1.12 | 0 / 0 | |
| 0.1.11 | 0 / 0 | |
| 0.1.10 | 0 / 0 | |
| 0.1.9 | 0 / 0 | |
| 0.1.8 | 0 / 0 | |
| 0.1.7 | 0 / 0 | |
| 0.1.6 | 0 / 0 | |
| 0.1.5 | 0 / 0 | |
| 0.1.3 | 0 / 0 | |
| 0.1.2 | 0 / 0 | |
| 0.1.1 | 0 / 0 | |
| 0.1.0 | 0 / 0 | |
| 0.0.97 | 11 / 7 | |
| 0.0.96 | 11 / 7 | |
| 0.0.93 | 11 / 7 | |
| 0.0.92 | 11 / 7 | |
| 0.0.91 | 11 / 7 |
v0.1.46
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.45
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.44
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.43
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.42
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.41
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.40
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.39
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.38
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.37
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.36
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.35
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.34
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.33
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.32
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.31
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 261 | try { 262 | if (process.platform === "darwin") { > 263 | const child2 = spawn("open", [url], { 264 | stdio: "ignore", 265 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 269 | } 270 | if (process.platform === "win32") { > 271 | const child2 = spawn("cmd", ["/c", "start", "", url], { 272 | stdio: "ignore", 273 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 276 | return true; 277 | } > 278 | const child = spawn("xdg-open", [url], { 279 | stdio: "ignore", 280 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.30
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 219 | try { 220 | if (process.platform === "darwin") { > 221 | const child2 = spawn("open", [url], { 222 | stdio: "ignore", 223 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 219 | try { 220 | if (process.platform === "darwin") { > 221 | const child2 = spawn("open", [url], { 222 | stdio: "ignore", 223 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 227 | } 228 | if (process.platform === "win32") { > 229 | const child2 = spawn("cmd", ["/c", "start", "", url], { 230 | stdio: "ignore", 231 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 227 | } 228 | if (process.platform === "win32") { > 229 | const child2 = spawn("cmd", ["/c", "start", "", url], { 230 | stdio: "ignore", 231 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 234 | return true; 235 | } > 236 | const child = spawn("xdg-open", [url], { 237 | stdio: "ignore", 238 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 234 | return true; 235 | } > 236 | const child = spawn("xdg-open", [url], { 237 | stdio: "ignore", 238 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.29
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.28
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.27
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.26
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.25
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.24
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 224 | try { 225 | if (process.platform === "darwin") { > 226 | const child2 = spawn("open", [url], { 227 | stdio: "ignore", 228 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 232 | } 233 | if (process.platform === "win32") { > 234 | const child2 = spawn("cmd", ["/c", "start", "", url], { 235 | stdio: "ignore", 236 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 239 | return true; 240 | } > 241 | const child = spawn("xdg-open", [url], { 242 | stdio: "ignore", 243 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.23
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 220 | try { 221 | if (process.platform === "darwin") { > 222 | const child2 = spawn("open", [url], { 223 | stdio: "ignore", 224 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 220 | try { 221 | if (process.platform === "darwin") { > 222 | const child2 = spawn("open", [url], { 223 | stdio: "ignore", 224 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 228 | } 229 | if (process.platform === "win32") { > 230 | const child2 = spawn("cmd", ["/c", "start", "", url], { 231 | stdio: "ignore", 232 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 228 | } 229 | if (process.platform === "win32") { > 230 | const child2 = spawn("cmd", ["/c", "start", "", url], { 231 | stdio: "ignore", 232 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 235 | return true; 236 | } > 237 | const child = spawn("xdg-open", [url], { 238 | stdio: "ignore", 239 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) 235 | return true; 236 | } > 237 | const child = spawn("xdg-open", [url], { 238 | stdio: "ignore", 239 | detached: true
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.97
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.96
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.93
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.92
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.91
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.