← Home

@faststats/web

npm Repository Homepage

> [!IMPORTANT] > This repository is in early development and not intended for production use.

28
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

luggapugga

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@rrweb/rrweb-plugin-console-record AI (phantom-deps): Plugin is loaded conditionally/indirectly; phantom-dep heuristic fires on config-only references. ai
source-diff obfuscated-file:dist/chunks/send-data-D6WdryL7.js AI (source-diff): File is standard minified ESM bundle output; content is readable session/storage logic with no malicious patterns. ai
phantom-deps phantom-dep:web-vitals AI (phantom-deps): web-vitals is used via the ./web-vitals export path; phantom-dep heuristic misses indirect import patterns. ai
source-diff obfuscated-file:dist/replay-DWCkIH4r.js AI (source-diff): Standard tsdown/Rollup minified output; wraps rrweb session replay, consistent with declared rrweb dependencies. ai
source-diff obfuscated-file:dist/error-Cs5wnTbZ.js AI (source-diff): Standard tsdown/Rollup minified output; implements error tracking with window event listeners, no malicious patterns. ai
source-diff obfuscated-file:dist/analytics-B1kgY_Yf.js AI (source-diff): Standard tsdown/Rollup minified output; code is readable analytics tracking, not obfuscated malware. ai
source-diff obfuscated-file:dist/replay-B2VT_kl_.js AI (source-diff): Standard minified build output; implements rrweb session replay, consistent with declared deps. ai
source-diff obfuscated-file:dist/analytics-CMMFYUFq.js AI (source-diff): Standard minified build output from tsdown; code is readable analytics logic, not obfuscated. ai
source-diff obfuscated-file:dist/error-DmR1BucX.js AI (source-diff): Standard minified build output; implements error tracking, no obfuscation indicators. ai
source-diff obfuscated-file:dist/replay-alCILAnP.js AI (source-diff): Standard minified bundler output; content is legitimate rrweb session replay logic. ai
source-diff obfuscated-file:dist/analytics-D_dgxSVU.js AI (source-diff): Standard minified bundler output for an analytics SDK; content is legitimate analytics/feature-flag logic. ai
source-diff obfuscated-file:dist/error-Df3cDcoP.js AI (source-diff): Standard minified bundler output; content is legitimate error tracking logic. ai
source-diff obfuscated-file:dist/error-uRd9K5Py.js AI (source-diff): Standard tsdown bundler output; content matches declared error-tracking functionality. ai
source-diff obfuscated-file:dist/replay-DkZI1bwa.js AI (source-diff): Standard tsdown bundler output; content matches declared rrweb session-replay functionality. ai
source-diff obfuscated-file:dist/analytics-CEej2XLw.js AI (source-diff): Standard tsdown bundler output; content matches declared analytics SDK functionality. ai
source-diff obfuscated-file:dist/analytics-Ct-lghlf.js AI (source-diff): Standard bundler minification output; content matches declared analytics SDK functionality. ai
source-diff obfuscated-file:dist/error-asweBGYd.js AI (source-diff): Standard bundler minification output; content matches declared error-tracking functionality. ai
source-diff obfuscated-file:dist/replay-DUA5c3Jf.js AI (source-diff): Standard bundler minification output; content matches declared rrweb session-replay functionality. ai
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI/CD publishing is a legitimate and common workflow change. ai
source-diff obfuscated-file:dist/replay-D9AlW2Jv.js AI (source-diff): Standard bundler minification output; code is readable rrweb session-replay logic. ai
source-diff obfuscated-file:dist/analytics-D0RCcMlv.js AI (source-diff): Standard bundler minification output; code is readable analytics logic, not obfuscated malware. ai
source-diff obfuscated-file:dist/error-BNd3BvFI.js AI (source-diff): Standard bundler minification output; code is readable error-tracking logic. ai
source-diff obfuscated-file:dist/replay-TDHY7cyS.js AI (source-diff): Minified build output; implements rrweb session replay recording, consistent with declared deps. ai
source-diff obfuscated-file:dist/error-am04dkiT.js AI (source-diff): Minified build output; implements standard error tracking with window error listeners. ai
source-diff obfuscated-file:dist/analytics-DO2MFOy_.js AI (source-diff): Minified build output from tsdown bundler; code is readable analytics SDK logic, not obfuscated malware. ai
source-diff obfuscated-file:dist/replay-CE1ZpeYS.js AI (source-diff): Standard minified ESM bundle wrapping rrweb session replay; content is readable and benign. ai
source-diff obfuscated-file:dist/analytics-C9dKSMp9.js AI (source-diff): Standard minified ESM bundle for a web analytics SDK; content is readable and benign. ai
source-diff obfuscated-file:dist/error-B84WzvRo.js AI (source-diff): Standard minified ESM bundle for error tracking; content is readable and benign. ai
source-diff obfuscated-file:dist/chunks/replay-rTqcjOo2.js AI (source-diff): Standard rolldown bundle output for session-replay module; content is readable and matches package purpose. ai
source-diff obfuscated-file:dist/chunks/error-Cd9PTS5v.js AI (source-diff): Standard rolldown bundle output for error-tracking module; content is readable and matches package purpose. ai
source-diff obfuscated-file:dist/chunks/session-manager-Cy63ptPF.js AI (source-diff): Standard rolldown bundle output for session-manager module; content is readable and matches package purpose. ai
source-diff obfuscated-file:dist/error-BWTalC2O.js AI (source-diff): Standard tsdown/Rollup minified bundle; content is readable error-tracking code. ai
source-diff obfuscated-file:dist/replay-4Jtqp78w.js AI (source-diff): Standard tsdown/Rollup minified bundle; content is readable rrweb session-replay wrapper code. ai
source-diff obfuscated-file:dist/analytics-6gDXSBjL.js AI (source-diff): Standard tsdown/Rollup minified bundle; content is readable analytics SDK code, not obfuscated malware. ai
source-diff obfuscated-file:dist/chunks/analytics-ur06JW5D.js AI (source-diff): Standard minified ESM bundle output for analytics SDK; content is readable and benign. ai
source-diff obfuscated-file:dist/chunks/error-ClMugucs.js AI (source-diff): Standard minified ESM bundle for error-tracking module; content matches declared error export. ai
source-diff obfuscated-file:dist/chunks/replay-DQHUrcod.js AI (source-diff): Standard minified ESM bundle for rrweb-based session replay; content matches declared replay export. ai
source-diff obfuscated-file:dist/index.js AI (source-diff): Standard minified build output; content matches analytics SDK with rrweb/web-vitals deps. ai
source-diff obfuscated-file:dist/chunks/error-3yIt0PgC.js AI (source-diff): Standard minified build output; content is clearly error-tracking logic matching declared package purpose. ai
source-diff obfuscated-file:dist/chunks/web-vitals-ClET5qGP.js AI (source-diff): Standard minified build output; content is web-vitals tracking logic matching declared deps. ai
source-diff obfuscated-file:dist/chunks/replay-u8fo4u_R.js AI (source-diff): Standard minified build output; content is session-replay logic using rrweb, consistent with declared deps. ai
source-diff obfuscated-file:dist/analytics-B988lkxn.js AI (source-diff): Minified bundler output (tsdown); code is readable analytics SDK logic, not obfuscated malware. ai
source-diff obfuscated-file:dist/replay-44QeDpKH.js AI (source-diff): Minified bundler output; session-replay code using rrweb, consistent with declared deps. ai
source-diff obfuscated-file:dist/error-BLRIDscG.js AI (source-diff): Minified bundler output; error-tracking code using rrweb, consistent with declared deps. ai
source-diff obfuscated-file:dist/chunks/error-1K0dai1m.js AI (source-diff): Standard minified build output; content is error tracking logic (window error listeners, queue/flush). ai
source-diff obfuscated-file:dist/chunks/analytics-Cmawx5f9.js AI (source-diff): Standard minified build output for a web analytics SDK; content is benign analytics/tracking code. ai
source-diff obfuscated-file:dist/chunks/replay-CtMtn0C-.js AI (source-diff): Standard minified build output; content is rrweb session replay integration, consistent with package exports. ai
source-diff obfuscated-file:dist/replay-DeRZXYG3.js AI (source-diff): Standard minified ESM bundle; implements rrweb session replay, consistent with declared dependencies. ai
source-diff obfuscated-file:dist/analytics-p8pLmlA-.js AI (source-diff): Standard minified ESM bundle from tsdown/Vite build; readable analytics logic, no obfuscation techniques. ai
source-diff obfuscated-file:dist/replay-ZmimkIBT.js AI (source-diff): Minified rrweb bundle; content is legitimate session-replay code, not obfuscated malware. ai
source-diff obfuscated-file:dist/chunks/error-CDVOMiI9.js AI (source-diff): Standard minified build output from tsdown; content is readable error-tracking SDK logic. ai
source-diff obfuscated-file:dist/chunks/replay-CHFW2q4E.js AI (source-diff): Standard minified build output; content is rrweb-based session replay logic consistent with declared deps. ai
source-diff obfuscated-file:dist/analytics-c6ZVX6pa.js AI (source-diff): Standard minified bundler output (tsdown); code is readable analytics logic, not obfuscated malware. ai
source-diff obfuscated-file:dist/replay-DveDhM7v.js AI (source-diff): Standard minified bundler output; code is readable rrweb session-replay logic. ai
source-diff obfuscated-file:dist/error-DP65ICdP.js AI (source-diff): Standard minified bundler output; code is readable error-tracking logic. ai
bogus-package bogus-package AI (bogus-package): Thin README and no keywords are cosmetic issues; package has a real repo and legitimate dependencies. ai

Versions (showing 28 of 28)

Version Deps Published
0.3.0 3 / 4
0.2.14 5 / 4
0.2.13 6 / 5
0.2.12 6 / 5
0.2.11 6 / 5
0.2.10 6 / 5
0.2.8 6 / 5
0.2.7 5 / 6
0.2.6 5 / 6
0.2.5 5 / 6
0.2.4 5 / 6
0.2.3 5 / 6
0.2.1 5 / 6
0.2.0 5 / 6
0.1.9 5 / 6
0.1.8 5 / 6
0.1.7 5 / 6
0.1.6 5 / 6
0.1.5 5 / 6
0.1.4 5 / 6
0.1.3 4 / 6
0.1.2 4 / 6
0.1.1 4 / 6
0.1.0 4 / 6
0.0.4 4 / 6
0.0.3 4 / 6
0.0.2 4 / 6
0.0.1 4 / 6

v0.3.0

2 findings
HIGH New obfuscated file: dist/chunks/send-data-D6WdryL7.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.14

4 findings
HIGH New obfuscated file: dist/chunks/error-Cd9PTS5v.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/replay-rTqcjOo2.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/session-manager-Cy63ptPF.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.13

3 findings
HIGH New obfuscated file: dist/chunks/error-CDVOMiI9.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/replay-CHFW2q4E.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.11

5 findings
HIGH New obfuscated file: dist/chunks/error-3yIt0PgC.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/replay-u8fo4u_R.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/web-vitals-ClET5qGP.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.10

4 findings
HIGH New obfuscated file: dist/chunks/analytics-ur06JW5D.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/error-ClMugucs.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/replay-DQHUrcod.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.8

4 findings
HIGH New obfuscated file: dist/chunks/analytics-Cmawx5f9.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/error-1K0dai1m.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/replay-CtMtn0C-.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.7

4 findings
HIGH New obfuscated file: dist/analytics-Ct-lghlf.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-asweBGYd.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-DUA5c3Jf.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.6

4 findings
HIGH New obfuscated file: dist/analytics-D_dgxSVU.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-Df3cDcoP.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-alCILAnP.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.5

4 findings
HIGH New obfuscated file: dist/analytics-CEej2XLw.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-uRd9K5Py.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-DkZI1bwa.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.4

4 findings
HIGH New obfuscated file: dist/analytics-B988lkxn.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-BLRIDscG.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-44QeDpKH.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.3

4 findings
HIGH New obfuscated file: dist/analytics-CMMFYUFq.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-DmR1BucX.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-B2VT_kl_.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

4 findings
HIGH New obfuscated file: dist/analytics-6gDXSBjL.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-BWTalC2O.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-4Jtqp78w.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.9

4 findings
HIGH New obfuscated file: dist/analytics-B1kgY_Yf.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-Cs5wnTbZ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-DWCkIH4r.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.8

4 findings
HIGH New obfuscated file: dist/analytics-C9dKSMp9.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-B84WzvRo.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-CE1ZpeYS.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.6

4 findings
HIGH New obfuscated file: dist/analytics-c6ZVX6pa.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-DP65ICdP.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-DveDhM7v.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.5

4 findings
HIGH New obfuscated file: dist/analytics-DO2MFOy_.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-am04dkiT.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-TDHY7cyS.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.4

4 findings
HIGH New obfuscated file: dist/analytics-D0RCcMlv.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/error-BNd3BvFI.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-D9AlW2Jv.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.2

3 findings
HIGH New obfuscated file: dist/analytics-p8pLmlA-.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/replay-DeRZXYG3.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

3 findings
HIGH Publisher changed: luggapugga → GitHub Actions (on 2026-03-15) provenance

This version was published by a different npm account than previous versions on 2026-03-15. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/replay-ZmimkIBT.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

3 findings
HIGH Publisher changed: luggapugga → GitHub Actions (on 2026-03-15) provenance

This version was published by a different npm account than previous versions on 2026-03-15. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/replay-ZmimkIBT.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.4

2 findings
HIGH Publisher changed: luggapugga → GitHub Actions (on 2026-03-15) provenance

This version was published by a different npm account than previous versions on 2026-03-15. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.