Report abuse.
You are reporting:
Malicious code, a compromised release, a prompt-injection payload in package docs, name squatting: report it and it gets acted on.
How to report
- Email
dev (at) treecombinator.comwith the subject[givo abuse]. - Include the package name and version, what you found, and how to reproduce or verify it.
What happens
- A verified report gets the version tombstoned: downloads
answer
410with the reason, and the record stays public as evidence. Nothing is silently erased. - The publishing token is revoked; the audit trail keeps every action.
- Federated packages (mirrored from npmjs) should also be reported upstream; GIVO can stop serving a bad cached version on its side.