
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
Convert JSON to DCP positional-array format — fewer tokens, same accuracy.
DCP strips repeated keys from structured data. Instead of sending {"endpoint":"/v1/users","method":"GET","status":200} per record, DCP declares the schema once and writes values by position:
["$S","api-response:v1","endpoint","method","status","latency_ms"]
["/v1/users","GET",200,42]
["/v1/orders","POST",201,187]
40–60% token reduction when feeding data to LLMs. Zero accuracy cost. See benchmark.
npm install dcp-wrap
Or use directly:
npx dcp-wrap
cat api-response.json | npx dcp-wrap init api-response
Output:
Schema: api-response:v1
Fields: 4
endpoint: string (source: endpoint, unique: 4/4)
method: string (source: method, unique: 2/4) [enum(2)]
status: number (source: status, unique: 2/4)
latency_ms: number (source: latency_ms, unique: 4/4)
Saved: dcp-schemas/api-response.v1.json
Saved: dcp-schemas/api-response.v1.mapping.json
The generator infers field types, detects enums, numeric ranges, and orders fields by DCP convention (identifiers → classifiers → numerics → text).
cat data.json | npx dcp-wrap encode --schema dcp-schemas/api-response.v1.json
Output:
["$S","api-response:v1","endpoint","method","status","latency_ms"]
["/v1/users","GET",200,42]
["/v1/orders","POST",201,187]
["/v1/auth","POST",200,95]
npx dcp-wrap inspect dcp-schemas/api-response.v1.json
For known structures where you define the schema inline:
import { dcpEncode } from "dcp-wrap";
const dcp = dcpEncode(results, {
id: "engram-recall:v1",
fields: ["id", "relevance", "summary", "tags", "hitCount", "weight", "status"],
});
// ["$S","engram-recall:v1","id","relevance","summary","tags","hitCount","weight","status"]
// ["abc123",0.95,"port conflict fix","docker,gotcha",12,3.2,"fixed"]
Array fields are auto-joined with comma. Use transform for custom handling:
const dcp = dcpEncode(records, schema, {
transform: { relevance: (v) => +(v as number).toFixed(3) },
});
For unknown JSON where you want schema inference:
import { SchemaGenerator, DcpEncoder, DcpSchema, FieldMapping } from "dcp-wrap";
const gen = new SchemaGenerator();
const draft = gen.fromSamples(jsonRecords, { domain: "github-pr" });
const schema = new DcpSchema(draft.schema);
const mapping = new FieldMapping(draft.mapping);
const encoder = new DcpEncoder(schema, mapping);
const batch = encoder.encode(jsonRecords);
console.log(DcpEncoder.toString(batch));
Nested objects are automatically flattened via dot-notation:
{"id": "pr-1", "metadata": {"author": "alice", "state": "open"}}
The generator maps metadata.author → author, metadata.state → state. The mapping file records the full paths for encoding.
Real-world APIs return deeply nested objects, inconsistent fields, and dozens of keys you don't need. The generator applies three guards by default:
| Guard | Default | What it does |
|---|---|---|
maxDepth | 3 | Stops flattening at 3 levels. a.b.c is resolved; a.b.c.d.e is kept as an opaque value. |
maxFields | 20 | Keeps the top 20 fields by DCP priority (identifiers → classifiers → numerics → text). The rest are dropped. |
minPresence | 0.1 | Fields appearing in less than 10% of samples are excluded. |
Override when needed:
const draft = gen.fromSamples(samples, {
domain: "some-api",
maxDepth: 2, // very flat — only top-level and one level of nesting
maxFields: 10, // aggressive trim
minPresence: 0.5, // field must appear in at least half the samples
});
Always review the generated schema before using it in production. The generator infers — it does not know your intent. Check:
include / exclude to override.metadata.author → author). Use fieldNames to rename.dcpEncode(). Use transform for custom serialization.{domain}:v{version} from your input. This ID is how consumers identify the schema.dcp-wrap handles JSON → DCP conversion. For shadow index optimization, agent profiling, and the full protocol design, see dcp-docs.pages.dev.
dcp-wrap ships with an out-of-process hook for PicoClaw that DCP-encodes tool results before they reach the LLM. No core modification needed — just configure a process hook.
See docs/picoclaw-integration.md for setup guide, Docker instructions, and gotchas.
Apache-2.0
FAQs
Convert JSON to DCP positional-array format for AI agents — 40-70% token reduction
The npm package dcp-wrap receives a total of 8 weekly downloads. As such, dcp-wrap popularity was classified as not popular.
We found that dcp-wrap demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.