Wormsign detonated npm:@cloudplatform-single-spa/svp-baas in a network-sandboxed environment. Observed 6 indicator(s); 6 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@cloudplatform-single-spa/svp-baas. TLP:CLEAR — indicators only, no malware samples.