numeric
Numerical analysis in javascript
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:numeric-1.2.3.js | AI (source-diff): False positive: the 'network+exec' pattern matches IE-compat eval shim and Function constructor reference in a legitimate numerical analysis library. No actual network calls or dropper behavior present. | ai | |
| source-diff | net-exec-file:numeric-1.2.3.min.js | AI (source-diff): Same as the unminified file — minified distribution of the same legitimate numeric library. No dropper/loader behavior. | ai | |
| source-diff | net-exec-file:numeric-1.2.2.js | AI (source-diff): The flagged file is the library's own versioned distribution. 'Code execution' is Function constructor for math routines; no actual network calls present. Legitimate numerical analysis library pattern. | ai | |
| source-diff | net-exec-file:numeric-1.2.2.min.js | AI (source-diff): Minified version of the same distribution file. Same false-positive reasoning: no actual dropper/loader behavior, just math library internals. | ai | |
| source-diff | net-exec-file:numeric-1.2.5.min.js | AI (source-diff): Minified version of the same legitimate numeric.js library file. Same false positive as the unminified counterpart — no actual network fetching or remote code execution. | ai | |
| source-diff | net-exec-file:numeric-1.2.5.js | AI (source-diff): This is the versioned main library file for the numeric.js math library. The 'network+exec' pattern is a false positive: numeric.Function=Function alias and eval() for operator dispatch, not a dropper. | ai | |
| source-diff | net-exec-file:numeric-1.2.4.js | AI (source-diff): This is the library's own versioned source file (main entry point). The 'network + code execution' pattern is a false positive on numeric.Function=Function and internal eval for math operator dispatch. No actual dropper behavior. | ai | |
| source-diff | net-exec-file:numeric-1.2.4.min.js | AI (source-diff): Minified build artifact of the library itself. Same false positive as the unminified version — no actual network exfiltration or dropper behavior present. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Found in vendored tools/jquery-1.7.1.js — jQuery's well-known JSON parsing fallback. Not package runtime code. | ai | |
| semgrep | semgrep:obfuscation-packer | AI (semgrep): Packer pattern is in tools/sylvester.js, a vendored/bundled tool file using Dean Edwards packer — a common 2011-era minification technique. Not in main package code, no malicious behavior. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Found in tools/unit2.js test harness, loading the numeric module by path. Not a production runtime risk. | ai | |
| source-diff | net-exec-file:numeric-1.1.9.min.js | AI (source-diff): Minified version of the same legitimate numeric.js library. Function constructor usage is documented library behavior, not a dropper/loader pattern. | ai | |
| source-diff | net-exec-file:numeric-1.1.9.js | AI (source-diff): numeric.js legitimately uses Function constructor for performance-critical numerical operations. The sample confirms this is the canonical library source, not malware. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): sloisel is the original author (Sébastien Loisel); GitHub repo is github.com/sloisel/numeric. This is the legitimate maintainer, not a takeover. | ai | |
| source-diff | net-exec-file:numeric-1.2.1.min.js | AI (source-diff): Minified version of the same legitimate library; same false-positive rationale as the unminified file. | ai | |
| source-diff | net-exec-file:numeric-1.2.1.js | AI (source-diff): Legitimate numerical analysis library; dynamic code execution is a documented IE compatibility shim and operator-testing eval, not malware. Network references are benign. | ai | |
| source-diff | net-exec-file:numeric-1.2.0.min.js | AI (source-diff): Minified build of the same library file. Same false-positive rationale as the unminified version — no dropper/loader behavior present. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected for this legacy package. | ai | |
| source-diff | net-exec-file:numeric-1.2.0.js | AI (source-diff): This is the library's main distribution file. Dynamic code execution is a Function constructor alias for IE compat; no actual remote code fetching or exfiltration present. | ai | |
| source-diff | net-exec-file:numeric-1.2.6.js | AI (source-diff): This is the library's main distribution file. 'Network + code execution' flags are false positives: numeric.Function=Function is used for math code generation, not malware. Stable for this numerical analysis library. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is used to test arithmetic operators (e.g., eval('1'+op+'0')) for building numeric dispatch tables — a legitimate pattern in this math library, not arbitrary external input execution. | ai | |
| source-diff | net-exec-file:numeric-1.2.6.min.js | AI (source-diff): Minified version of the library's main file. Same false positive rationale as the unminified version — legitimate numerical analysis code, not a dropper. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 1.2.6 | 0 / 0 | |
| 1.2.5 | 0 / 0 | |
| 1.2.4 | 0 / 0 | |
| 1.2.3 | 0 / 0 | |
| 1.2.2 | 0 / 0 | |
| 1.2.1 | 0 / 0 | |
| 1.2.0 | 0 / 0 | |
| 1.1.9 | 0 / 0 | |
| 1.0.3 | 0 / 1 |
v1.2.6
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.5
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.4
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.3
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.9
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
2 findingsJavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected > 1 | eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStrin
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.