
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@czap/assets
Advanced tools
Asset capsules + analysis projections (audio waveform, beat markers, ...)
Decodes WAV audio to samples (plus image/video metadata probes) and derives deterministic analysis — beat markers, onsets, waveform — that scenes can sync to.
Install this directly when a scene needs decoded audio or beat/onset analysis. If you're starting a new project, start with the
liteshippackage instead — it brings the whole stack.
pnpm add @czap/assets effect@4.0.0-beta.32
effect v4 is a required peer and only ships as a beta — install the pin above (any >=4.0.0-beta.0 satisfies it).
import { readFile } from 'node:fs/promises';
import { defineAsset, audioDecoder, detectBeats } from '@czap/assets';
// Register the asset once — scenes reference it by id via AssetRef('intro-bed').
defineAsset({
id: 'intro-bed',
source: 'audio/intro-bed.wav',
kind: 'audio',
budgets: { decodeP95Ms: 50 }, // decode-time budget, in milliseconds
invariants: [],
});
const file = await readFile('audio/intro-bed.wav');
const audio = await audioDecoder(new Uint8Array(file).buffer);
const { bpm, beats } = detectBeats(audio);
console.log(`${Math.round(bpm)} bpm, ${beats.length} beats`);
Logs the tempo estimate and beat count for the file. beats are sample indices, not milliseconds — @czap/scene provides resolveBeatProjectionToSceneBeats to convert them to timeline time. Same input, same output, every run: the analysis has no randomness, so results are cacheable by content.
A layered package: defineAsset wraps each declaration in a capsule (a declared unit carrying budgets and invariant checks) via @czap/core, and the analysis output shapes come from @czap/_spine so @czap/scene can consume them without depending on this package. The image and video decoders probe format/dimension metadata only — frame decoding belongs to the render pipeline, not here. Test-only registry helpers ship at the @czap/assets/testing subpath. See the package surfaces map for the full layout.
Part of LiteShip — powered by the CZAP engine (Content-Zoned Adaptive Projection), distributed as @czap/* packages.
FAQs
Asset capsules + analysis projections (audio waveform, beat markers, ...)
We found that @czap/assets demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.