A standalone chat application for ORBIT that can be installed as an npm package and run as a CLI tool. All API communication is routed through a built-in Express proxy that maps adapter names to backend API keys, so **no secrets ever reach the browser**.
Static analysis flagged 22 finding(s) at 97.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Package contains a critical-looking secret pattern.
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L3RSA private key in dist/assets/vendor-auth-aD_bwYde.js
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L3Source reaches cloud instance metadata or link-local credential endpoints.
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/assets/docx-preview-DehBmhog.jsView on unpkg · L11Package source references dynamic require/import behavior.
dist/assets/vendor-syntax-INF7-xC_.jsView on unpkg · L12Manifest entrypoint contains risky behavior absent from dist/build output.
bin/orbitchat.jsView on unpkg · L12Package ships non-JavaScript build or shell helper files.
orbitchat.shView on unpkgPackage ships high-entropy non-source blobs.
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/assets/cytoscape.esm-DTSO7Bv0.jsView on unpkgSource reaches cloud instance metadata or link-local credential endpoints.
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/assets/vendor-syntax-INF7-xC_.jsView on unpkg · L12Package ships non-JavaScript build or shell helper files.
orbitchat.shView on unpkgPackage ships high-entropy non-source blobs.
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/assets/cytoscape.esm-DTSO7Bv0.jsView on unpkgPackage contains a critical-looking secret pattern.
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L3RSA private key in dist/assets/vendor-auth-aD_bwYde.js
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L3Package source references a known benign dynamic code generation pattern.
dist/assets/docx-preview-DehBmhog.jsView on unpkg · L11Manifest entrypoint contains risky behavior absent from dist/build output.
bin/orbitchat.jsView on unpkg · L12Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkg · L17