@crmy/server
CRMy server — Express + PostgreSQL + MCP endpoint
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:public/assets/index-CdPJsOEj.js | AI (source-diff): Standard Vite/React production bundle; minification is expected for a bundled web UI asset. | ai | |
| source-diff | obfuscated-file:public/assets/index-BhdR5p_0.js | AI (source-diff): Standard Vite/React production bundle served as static UI asset; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:public/assets/index-Bxk1RcTF.js | AI (source-diff): Standard Vite/React minified bundle; sample confirms React production build output, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:public/assets/index-D1Lhmm24.js | AI (source-diff): Standard Vite/React production bundle served as static UI assets; minification is expected and benign. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get usage is inside React internals within the bundled frontend; not obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by addition of bundled frontend assets (React SPA build output). | ai | |
| source-diff | obfuscated-file:public/assets/index-CskfWp8E.js | AI (source-diff): Standard Vite/React production bundle; React license header and modulepreload patterns confirm legitimate minified frontend asset. | ai | |
| phantom-deps | phantom-dep:@crmy/web | AI (phantom-deps): Same-org web frontend served by Express; declared dep not directly imported is expected. | ai | |
| phantom-deps | phantom-dep:nodemailer | AI (phantom-deps): nodemailer used at runtime via dynamic config; stable false positive for this server package. | ai | |
| phantom-deps | phantom-dep:node-pg-migrate | AI (phantom-deps): Migration CLI tool invoked via scripts, not imported; stable false positive. | ai | |
| source-diff | obfuscated-file:public/assets/ContactDrawer-CFXKV2x4.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/Contacts-yNFhQutT.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/Context-BVQiQD9q.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/CrmWidgets-sMNLaPuG.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/Dashboard-CvjByMY1.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/EmailDraftDrawer-Dyow1HEl.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/EmailDrawer-BnCT3LRh.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/Emails-BP-9TS5i.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/en-US-ZtQonj2f.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Package bundles a React frontend; large number of Vite-generated asset files is expected for this package. | ai | |
| source-diff | obfuscated-file:public/assets/date-picker-DRo4EldO.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/AccountDrawer-Dj5RN41t.js | AI (source-diff): Standard Vite minified React bundle output; readable JSX logic visible in sample, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:public/assets/Accounts-VnMLn5HS.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/Activities-DsY5nOGv.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/ActivityDrawer-pFFRRITK.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/Agent-Cc67gFfS.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/AgentActivity-BxEevx9y.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/AssignmentDrawer--eGGH_x5.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/AuditLog-C_BrGOFB.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| source-diff | obfuscated-file:public/assets/Automations-CoMKyXFZ.js | AI (source-diff): Standard Vite minified React bundle output. | ai | |
| typosquat | typosquat.levenshtein:semver | AI (typosquat): @crmy/server is a scoped CRM server package; Levenshtein match to 'semver' is coincidental, not impersonation. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 0.8.9 | 19 / 5 | |
| 0.8.8 | 19 / 5 | |
| 0.8.4 | 17 / 4 | |
| 0.7.2 | 17 / 4 | |
| 0.7.1 | 17 / 4 | |
| 0.7.0 | 17 / 4 | |
| 0.6.1 | 17 / 4 | |
| 0.6.0 | 9 / 4 | |
| 0.5.10 | 8 / 4 | |
| 0.5.9 | 8 / 4 | |
| 0.5.8 | 8 / 4 | |
| 0.5.7 | 9 / 4 | |
| 0.5.6 | 8 / 4 | |
| 0.5.5 | 8 / 4 | |
| 0.5.3 | 8 / 4 | |
| 0.5.2 | 8 / 4 | |
| 0.5.1 | 8 / 4 |
v0.8.9
36 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.8
20 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsPackage name '@crmy/server' is 1 edit(s) away from popular package 'semver'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.