
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
The czap command-line tool: every verb emits one JSON receipt (a structured result line) on stdout and keeps human-readable summaries on stderr, so output pipes cleanly into jq, CI, or an AI agent.
Install this directly when you want the
czapverbs in a project or CI. If you're starting a new project, start with liteship instead — it installs this package along with the rest of the stack.
pnpm add -D @czap/cli
npx czap doctor
{"status":"ok","command":"doctor","verdict":"ready","checks":[
{"id":"node.version","label":"Node.js","status":"ok","detail":"22.22.3"},
{"id":"pnpm.version","label":"pnpm","status":"ok","detail":"10.32.1"}
]}
You should see one JSON line like the above on stdout (shown wrapped here) and, on a terminal, a colored per-check summary on stderr. Exit code is 0 for an ok receipt, 1 for failed; --ci escalates warnings to 1.
| Verb | What it does |
|---|---|
czap doctor [--fix] [--ci] [--preflight] [--target cloudflare] | Environment preflight: Node, pnpm, install, build artifacts, git hooks. --fix applies cheap remediations. |
czap help · czap version · czap glossary [term] | Help chart, version receipt, vocabulary lookup. |
czap completion <bash|zsh|fish> | Tab-completion script — the one verb that writes a raw script, not JSON, to stdout. |
czap describe [--format json|mcp] | Machine-readable description of every verb and schema. |
czap mcp [--http :3838] | Start the MCP server (requires @czap/mcp-server installed). |
czap scene compile|dev|render|verify <path> | Compile, watch, render, or check a scene definition. |
czap asset analyze|verify | Analyze (beats, onsets, waveform) or check an asset. |
czap capsule list|inspect|verify | Work with capsules — self-describing component packages — from the manifest. |
czap audit [--consumer|--profile <p>] [--findings] | Run the @czap/audit engine; receipt carries the counts. |
czap gauntlet · czap ship <pkg> · czap verify | Release gate, npm publish, post-publish verification. |
Renders and analyses are cached by a hash of their inputs; pass --force to re-run. Unknown verbs exit 1 with a trailing {"error":"unknown_command"} line on stderr.
@czap/cli is a terminal adapter over @czap/command, the shared command catalog and dispatcher — the MCP server projects the same catalog, and neither imports the other (czap mcp only dynamically loads @czap/mcp-server). Scene and asset verbs execute through @czap/scene and @czap/assets, czap audit wires the @czap/audit engine, and shared types come from @czap/core. See the package surfaces map for the full layout.
capsule verbs read a capsule manifest, by default reports/capsule-manifest.json under the current directory; outside a repo that has one they fail with a manifest-missing receipt. Set CZAP_CAPSULE_MANIFEST to point at yours.
Part of LiteShip — powered by the CZAP engine (Content-Zoned Adaptive Projection), distributed as @czap/* packages.
FAQs
`czap` CLI: AI-first JSON I/O with human-pretty TTY mode
The npm package @czap/cli receives a total of 252 weekly downloads. As such, @czap/cli popularity was classified as not popular.
We found that @czap/cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.