@artel/artc
Артель Компилятор | Artel Compiler
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:build/chunk-RKCSFKQS.js | AI (source-diff): Compiler build bundle; network+exec pattern is from bundled compiler/LSP code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-PK5WTR7M.js | AI (source-diff): 3MB bundled compiler artifact; sample shows only standard TS/decorator build helpers, no actual network or eval calls. | ai | |
| source-diff | net-exec-file:build/chunk-LGYFTSDE.js | AI (source-diff): Bundled compiler output; network+exec pattern is from bundler boilerplate, not dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-BAAUJYMH.js | AI (source-diff): Bundled esbuild output for a compiler tool; network+exec pattern is from the compiler's own functionality, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-G4UMALLG.js | AI (source-diff): Build artifact with standard esbuild/TS boilerplate; no actual malicious network+exec pattern present. | ai | |
| source-diff | net-exec-file:build/chunk-ATYKWZ5R.js | AI (source-diff): Bundled esbuild output for a compiler package; network+exec pattern is standard transpiled async/decorator code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-YAYSHO33.js | AI (source-diff): Standard bundled build artifact from esbuild/rollup; transpilation boilerplate, not dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-T4JAN46C.js | AI (source-diff): Bundled esbuild output for a compiler package; network+exec pattern is expected and the sample shows only transpilation boilerplate. | ai | |
| source-diff | net-exec-file:build/chunk-LV35QVOW.js | AI (source-diff): Build artifact with standard esbuild/TS boilerplate; no actual network+exec payload present. | ai | |
| source-diff | net-exec-file:build/chunk-CQLARM2U.js | AI (source-diff): Bundled build artifact with standard TS/esbuild boilerplate; network+exec pattern is from the compiler's legitimate runtime, not dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-6JA436J2.js | AI (source-diff): Bundled compiler output (esbuild); network+exec pattern is from legitimate async/Promise boilerplate, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-YD2DEVJP.js | AI (source-diff): Large bundled build artifact for a compiler tool; network+exec pattern reflects Babel/TS bundling, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-A5H2QLXZ.js | AI (source-diff): Large bundled build artifact from esbuild; network+exec pattern is from bundled compiler/LSP code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-Y23FSWAN.js | AI (source-diff): File contains standard bundler helper boilerplate (decorators, async wrappers), not malicious network+exec patterns. | ai | |
| source-diff | net-exec-file:build/chunk-OB2WGYLS.js | AI (source-diff): Build bundle with standard esbuild/TS decorator boilerplate; network+exec pattern is from the compiler's legitimate runtime, not dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-F62D5WPV.js | AI (source-diff): Compiler/language-server bundle; network+exec pattern is expected in a bundled compiler tool, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-PGJQFLPG.js | AI (source-diff): Bundled compiler artifact; network+exec pattern is from bundled TS helpers, not malicious code. | ai | |
| source-diff | net-exec-file:build/chunk-2SRNQ3Z6.js | AI (source-diff): Bundled compiler output; network+exec pattern is from legitimate build tooling, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-GDTFOV2M.js | AI (source-diff): Compiler package bundles Babel; network+exec pattern is from bundled toolchain code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-U3H2CT4J.js | AI (source-diff): Compiler package; large bundled build artifacts with network+exec patterns are expected for a language compiler/LSP tool. | ai | |
| source-diff | net-exec-file:build/chunk-OQEIE4GQ.js | AI (source-diff): Bundled compiler output; network+exec pattern is from bundler boilerplate, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-VVFLEWSA.js | AI (source-diff): Compiler/language-server bundle; network+exec pattern is inherent to the package's purpose, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-XARNKP3Q.js | AI (source-diff): Build artifact from a compiler package; sample shows standard transpiler boilerplate, not dropper/loader code. | ai | |
| source-diff | net-exec-file:build/chunk-RIWU6SF4.js | AI (source-diff): Build bundle for a compiler package; sample shows TS transpilation boilerplate, not malicious dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-CGOSDN2E.js | AI (source-diff): Bundled compiler output; boilerplate helpers only in sample, no malicious net/exec pattern. | ai | |
| source-diff | net-exec-file:build/chunk-TIWNEKIS.js | AI (source-diff): Compiler/language-server bundle; network+exec pattern is inherent to LSP and code transformation, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-LYYIQT6J.js | AI (source-diff): 3.1MB bundled compiler artifact; sample shows only standard bundler boilerplate, no actual network fetch or eval. | ai | |
| source-diff | net-exec-file:build/chunk-46EEXYHP.js | AI (source-diff): Bundled compiler output; sample shows only standard bundler helpers (decorators, async), no actual network fetch or eval payload. | ai | |
| source-diff | net-exec-file:build/chunk-NQCSWP3L.js | AI (source-diff): Large bundled compiler output; network+exec pattern is from bundled Babel/TS tooling, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-7EMGC6AD.js | AI (source-diff): Large bundled build artifact for a compiler tool; network+exec pattern is from bundled Babel/TS runtime helpers, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-Y3SDLINT.js | AI (source-diff): Large bundled compiler output; net+exec pattern is inherent to a compiler/transpiler tool, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-HOEHBJ7R.js | AI (source-diff): Large bundled build artifact for a compiler tool; network+exec pattern is from bundled Babel/TS runtime helpers, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-S6SV63VD.js | AI (source-diff): Large bundled compiler artifact; network+exec pattern is from bundled language-server/compiler code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-6YPLDA76.js | AI (source-diff): Compiler/language-server bundle; network+code-exec pattern is inherent to this package's purpose, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-7D775S4V.js | AI (source-diff): Large bundled compiler artifact; sample shows standard TS polyfill boilerplate, not dropper/loader code. | ai | |
| source-diff | net-exec-file:build/chunk-TSATPA2U.js | AI (source-diff): Large bundled build artifact for a compiler package; network+exec pattern is from bundled toolchain code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-DB2CJDOL.js | AI (source-diff): Build bundle for a compiler package; network+exec pattern is from bundled compiler/LSP code, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-K3EBH7V6.js | AI (source-diff): Large bundled compiler output; network+exec pattern is from bundled toolchain code, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-FIIGCVSM.js | AI (source-diff): Large bundled compiler output; net+exec pattern is from bundled Babel/TS toolchain, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-O2F523M5.js | AI (source-diff): Large bundled build artifact with standard esbuild boilerplate; network+exec pattern is expected for a compiler package. | ai | |
| source-diff | net-exec-file:build/chunk-3PVSYUJV.js | AI (source-diff): Large bundled compiler artifact; sample shows standard build helpers, not malicious network+exec pattern. | ai | |
| source-diff | net-exec-file:build/chunk-4YMBG4SM.js | AI (source-diff): Compiler bundle artifact; sample shows standard esbuild/rollup helpers, not malicious network+exec pattern. | ai | |
| source-diff | net-exec-file:build/chunk-3JS4YG6N.js | AI (source-diff): Compiler/language-server build bundle; network+exec pattern is expected for this tool's functionality, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-VRGYQLZL.js | AI (source-diff): Compiler package; bundled build output with network/eval patterns is expected for a transpiler/compiler tool. | ai | |
| source-diff | net-exec-file:build/chunk-2Q4QKW7T.js | AI (source-diff): Large bundled compiler artifact; network+exec pattern is from bundled deps (Babel, TS, vscode-languageserver), not malware. | ai | |
| source-diff | net-exec-file:build/chunk-FCVCEIPF.js | AI (source-diff): 3MB esbuild bundle for a compiler package; sample shows standard decorator/async helpers, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-MN7XRSIB.js | AI (source-diff): Large bundled compiler artifact; sample shows standard build helpers, not malware patterns. | ai | |
| source-diff | net-exec-file:build/chunk-7EXJHYWX.js | AI (source-diff): Bundled compiler artifact; sample shows standard build helpers, not dropper/loader malware. | ai | |
| source-diff | net-exec-file:build/chunk-ZV4RVSWH.js | AI (source-diff): Large bundled build artifact for a compiler tool; boilerplate JS helpers, not malware patterns. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Babel deps are well-known transpiler packages consistent with compiler functionality. | ai | |
| source-diff | net-exec-file:build/chunk-SJFIPH42.js | AI (source-diff): Large bundled build artifact from established Artel compiler; network+exec pattern is from legitimate compiler/LSP functionality, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-ER3TEZSN.js | AI (source-diff): Bundled compiler output; esbuild/tsc artifact with standard async/decorator helpers, not dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-CWGZOWF7.js | AI (source-diff): Bundled compiler artifact; network+exec pattern comes from vscode-languageserver and compiler internals, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-MLUN6742.js | AI (source-diff): Compiler package; bundled chunk with network+exec patterns is expected for a language compiler/toolchain artifact. | ai | |
| source-diff | net-exec-file:build/chunk-CS2AK7Z7.js | AI (source-diff): Compiler package; large bundled build artifacts with network+exec patterns are expected and stable across versions. | ai | |
| source-diff | net-exec-file:build/chunk-PDVQZURU.js | AI (source-diff): Large bundled compiler artifact; network+exec pattern is from bundled LSP/compiler code, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-E72KEKQV.js | AI (source-diff): Large bundled compiler artifact; network/exec patterns are from bundled deps (vscode-languageserver, babel), not malicious dropper code. | ai | |
| source-diff | net-exec-file:build/chunk-3VRPBHJN.js | AI (source-diff): Large bundled build artifact from a compiler project; network+exec pattern reflects bundled compiler/LSP code, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-YNG6354X.js | AI (source-diff): Standard esbuild/rollup bundle for Artel Compiler; bundler boilerplate, not dropper malware. | ai | |
| source-diff | net-exec-file:build/chunk-LX6LUKPR.js | AI (source-diff): Bundled esbuild output for a compiler package; network+exec pattern is from legitimate async/fetch patterns in the bundle, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/chunk-EVYL6VFM.js | AI (source-diff): Large bundled compiler output (esbuild); network+exec pattern is from bundled deps, not malware. | ai | |
| source-diff | obfuscated-file:build/types/tree/Nodes.d.ts | AI (source-diff): Large .d.ts with long union type lines is expected for a compiler's AST node declarations. | ai | |
| source-diff | net-exec-file:build/chunk-LD2OIYWC.js | AI (source-diff): Bundled compiler artifact; sample shows standard build helpers, not dropper/loader patterns. | ai | |
| source-diff | net-exec-file:build/chunk-RQOGIK5O.js | AI (source-diff): Compiler/transpiler tool; bundled Babel+TS internals legitimately combine network (LSP) and code execution (transform) patterns. | ai | |
| source-diff | net-exec-file:build/chunk-KCEJTV3Q.js | AI (source-diff): Large bundled build artifact from a compiler package; sample shows standard bundle boilerplate, not malware. | ai | |
| source-diff | net-exec-file:build/chunk-Y77RKBXA.js | AI (source-diff): 4.6MB bundled compiler artifact; sample shows only standard bundler/decorator boilerplate, no actual network or eval patterns. | ai | |
| provenance | no-provenance | AI (provenance): Established package with consistent release history; lack of provenance is common and not a risk signal here. | ai | |
| phantom-deps | phantom-dep:vscode-json-languageservice | AI (phantom-deps): VSCode language service dep referenced via config, stable false positive. | ai | |
| phantom-deps | phantom-dep:jsonc-parser | AI (phantom-deps): Referenced in config files, stable false positive for this compiler package. | ai | |
| phantom-deps | phantom-dep:@vscode/l10n | AI (phantom-deps): VSCode tooling dep referenced via config, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-class-properties | AI (phantom-deps): Babel plugin loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-decorators | AI (phantom-deps): Babel plugin loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/generator | AI (phantom-deps): Babel packages are framework-scoped build deps, not directly imported at runtime. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): Babel packages are framework-scoped build deps, not directly imported at runtime. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Babel packages are framework-scoped build deps, not directly imported at runtime. | ai |
Versions (showing 51 of 87)
| Version | Deps | Published |
|---|---|---|
| 0.9.26021 | 14 / 3 | |
| 0.9.26016 | 14 / 3 | |
| 0.9.26003 | 14 / 3 | |
| 0.9.26002 | 14 / 3 | |
| 0.6.26039 | 14 / 3 | |
| 0.6.26038 | 14 / 3 | |
| 0.6.26037 | 14 / 3 | |
| 0.6.26036 | 14 / 3 | |
| 0.6.26035 | 14 / 3 | |
| 0.6.26034 | 14 / 3 | |
| 0.6.26032 | 14 / 3 | |
| 0.6.26031 | 14 / 3 | |
| 0.6.26030 | 14 / 3 | |
| 0.6.26029 | 14 / 3 | |
| 0.6.26028 | 14 / 3 | |
| 0.6.26027 | 14 / 3 | |
| 0.6.26026 | 14 / 3 | |
| 0.6.26025 | 14 / 3 | |
| 0.6.26024 | 14 / 3 | |
| 0.6.26023 | 14 / 3 | |
| 0.6.26022 | 14 / 3 | |
| 0.6.26019 | 14 / 3 | |
| 0.6.26018 | 14 / 2 | |
| 0.6.26017 | 14 / 2 | |
| 0.6.26016 | 14 / 2 | |
| 0.6.26015 | 14 / 2 | |
| 0.6.26014 | 14 / 2 | |
| 0.6.26010 | 14 / 2 | |
| 0.6.26009 | 14 / 2 | |
| 0.6.26008 | 14 / 2 | |
| 0.6.26006 | 14 / 2 | |
| 0.6.26004 | 14 / 2 | |
| 0.6.26003 | 14 / 2 | |
| 0.6.26002 | 14 / 2 | |
| 0.6.26001 | 14 / 2 | |
| 0.6.25295 | 14 / 2 | |
| 0.6.25293 | 14 / 2 | |
| 0.6.25292 | 14 / 2 | |
| 0.6.25290 | 14 / 2 | |
| 0.6.25289 | 11 / 2 | |
| 0.6.25286 | 11 / 2 | |
| 0.6.25284 | 11 / 2 | |
| 0.6.25283 | 11 / 2 | |
| 0.6.25282 | 11 / 2 | |
| 0.6.25281 | 11 / 2 | |
| 0.6.25279 | 11 / 2 | |
| 0.6.25278 | 11 / 2 | |
| 0.6.25277 | 11 / 2 | |
| 0.6.25276 | 11 / 2 | |
| 0.6.25275 | 11 / 2 | |
| 0.6.25274 | 11 / 2 |
v0.9.26021
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.26016
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.26003
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.26002
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26039
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26038
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26037
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26036
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26035
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26034
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26032
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26031
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26030
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26029
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26028
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26027
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26026
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26025
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26024
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26023
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26022
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26019
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26018
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26017
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26016
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26015
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26014
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26010
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26009
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26008
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26006
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26004
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26003
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26002
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.26001
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25295
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25293
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25292
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25290
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25289
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25286
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25284
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25283
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25282
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25281
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25279
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.25278
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.25277
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25276
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25275
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.25274
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.