← Home

nuxi

npm Repository Homepage

Nuxt CLI

10
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

nuxtbot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/jiti-DIDkIovA.mjs AI (source-diff): Bundled jiti (webpack-compiled CJS loader); minification is expected and matches declared devDependency [email protected]. ai
source-diff obfuscated-file:dist/dist-BP14MYpv.mjs AI (source-diff): Minified bundle of consola/logging deps; standard for nuxi CLI dist output. ai
source-diff net-exec-file:dist/dist-xdvxZpBN.mjs AI (source-diff): Contains bundled magicast/babel-parser; dynamic code execution is AST parsing, not dropper behavior. ai
source-diff obfuscated-file:dist/logger-CyBffPrB.mjs AI (source-diff): Bundled logger/terminal-width utilities; long lines are lookup tables, not obfuscation. ai
publish-pattern dormant-publish AI (publish-pattern): SLSA provenance attestation confirms legitimate CI/CD publish; dormancy is not indicative of takeover here. ai
source-diff encoded-string-file:dist/chunks/dev.mjs AI (source-diff): Long base64 string is llhttp WASM binary embedded as standard bundled dependency, not a malicious payload. ai
source-diff encoded-string-file:dist/chunks/init.mjs AI (source-diff): Long string is minified proxy/fetch library code bundled from legitimate upstream deps, not obfuscation. ai
typosquat typosquat.levenshtein:nuxt AI (typosquat): nuxi IS the official Nuxt CLI; the nuxt/cli repo and bin aliases confirm this is not a typosquat. ai
typosquat typosquat.levenshtein:next AI (typosquat): nuxi is the Nuxt CLI; 2-edit distance from 'next' is coincidental, not impersonation. ai

Versions (showing 10 of 10)

Version Deps Published
3.35.1 0 / 45
3.35.0 0 / 45
3.32.0 0 / 45
3.31.3 0 / 45
3.31.2 0 / 45
3.31.1 0 / 45
3.31.0 0 / 45
3.30.0 0 / 41
3.29.1 0 / 40
3.29.0 0 / 40

v3.35.0

5 findings
HIGH New obfuscated file: dist/dist-BP14MYpv.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/dist-xdvxZpBN.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/jiti-DIDkIovA.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/logger-CyBffPrB.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.32.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'nuxt' typosquat

Package name 'nuxi' is 1 edit(s) away from popular package 'nuxt'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.31.3

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'nuxt' typosquat

Package name 'nuxi' is 1 edit(s) away from popular package 'nuxt'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.31.2

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'nuxt' typosquat

Package name 'nuxi' is 1 edit(s) away from popular package 'nuxt'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.31.1

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'nuxt' typosquat

Package name 'nuxi' is 1 edit(s) away from popular package 'nuxt'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.31.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'nuxt' typosquat

Package name 'nuxi' is 1 edit(s) away from popular package 'nuxt'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.30.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'nuxt' typosquat

Package name 'nuxi' is 1 edit(s) away from popular package 'nuxt'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.29.1

3 findings
HIGH Long encoded string in modified file: dist/chunks/dev.mjs source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/chunks/init.mjs source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.29.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.