
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@czap/_spine
Advanced tools
Type-only spine for czap — declaration-file source of truth shared across published packages
TypeScript declaration files — no runtime code — that published @czap/* packages share so your compiler can resolve their types.
You usually don't install this directly — it arrives as a dependency of @czap/core. Install
@czap/coreinstead unless you want only the shared type vocabulary, with zero JavaScript.
pnpm add @czap/core effect@beta # brings @czap/_spine with it
import type { MotionTier, CapLevel } from '@czap/_spine';
const motion: MotionTier = 'transitions'; // 'none' | 'transitions' | 'animations' | 'physics' | 'compute'
const cap: CapLevel = 'animated'; // 'static' | 'styled' | 'reactive' | 'animated' | 'gpu'
This compiles and nothing runs — the npm tarball contains no JavaScript, only .d.ts files. Type-checking without errors is the success criterion.
This is the type-only layer under the foundation: @czap/core, @czap/scene, and @czap/assets depend on it so their published .d.ts files can reference one shared set of contracts instead of duplicating them. It has no runtime dependencies and ships no JavaScript. The runtime implementations of every type declared here live in the corresponding @czap/* package. See the
package surfaces map
for the full layout.
A value import (import { MotionTier } from '@czap/_spine') fails at runtime or bundle time with a missing-module error: there is no JavaScript here. Use import type, or import the runtime value from the package that implements it.
Part of LiteShip — powered by the CZAP engine (Content-Zoned Adaptive Projection), distributed as @czap/* packages.
FAQs
Type-only declaration spine referenced by published `.d.ts` from `@czap/core` / `@czap/scene`
The npm package @czap/_spine receives a total of 462 weekly downloads. As such, @czap/_spine popularity was classified as not popular.
We found that @czap/_spine demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.