
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@czap/_spine
Advanced tools
Install-only TypeScript declaration spine for LiteShip: the shared type anchor that `@czap/core` and `@czap/scene` reference from their published `.d.ts` — there is nothing to import at runtime.
TypeScript declaration files — no runtime code — that published @czap/* packages share so your compiler can resolve their types.
You usually don't install this directly — it arrives as a dependency of @czap/core. Install
@czap/coreinstead unless you want only the shared type vocabulary, with zero JavaScript.
pnpm add @czap/core effect@beta # brings @czap/_spine with it
import type { MotionTier, CapLevel } from '@czap/_spine';
const motion: MotionTier = 'transitions'; // 'none' | 'transitions' | 'animations' | 'physics' | 'compute'
const cap: CapLevel = 'animated'; // 'static' | 'styled' | 'reactive' | 'animated' | 'gpu'
This compiles and nothing runs — the npm tarball contains no JavaScript, only .d.ts files. Type-checking without errors is the success criterion.
This is the type-only layer under the foundation: @czap/core, @czap/scene, and @czap/assets depend on it so their published .d.ts files can reference one shared set of contracts instead of duplicating them. It has no runtime dependencies and ships no JavaScript. The runtime implementations of every type declared here live in the corresponding @czap/* package. See the
package surfaces map
for the full layout.
A value import (import { MotionTier } from '@czap/_spine') fails at runtime or bundle time with a missing-module error: there is no JavaScript here. Use import type, or import the runtime value from the package that implements it.
Part of LiteShip — powered by the CZAP engine (Content-Zoned Adaptive Projection), distributed as @czap/* packages.
FAQs
Install-only TypeScript declaration spine for LiteShip: the shared type anchor that `@czap/core` and `@czap/scene` reference from their published `.d.ts` — there is nothing to import at runtime.
The npm package @czap/_spine receives a total of 462 weekly downloads. As such, @czap/_spine popularity was classified as not popular.
We found that @czap/_spine demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.