← Home

@aztec/bot

npm

Simple bot that connects to a PXE to send txs on a recurring basis.

6
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

zac-williamsonleilawangcharlielyejaosefjoss-aztecprotocolludamad

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:source-map-support AI (phantom-deps): source-map-support is a standard TypeScript/Node.js helper referenced in config files; benign phantom dep pattern. ai
dependencies unvetted-dep:@aztec/wallets AI (dependencies): Same-org @aztec monorepo dependency; all @aztec packages are co-versioned and part of the same legitimate project. ai
dependencies unvetted-dep:@aztec/aztec.js AI (dependencies): Same-org @aztec monorepo dependency; co-versioned internal package from the Aztec Protocol project. ai
dependencies unvetted-dep:@aztec/noir-protocol-circuits-types AI (dependencies): Same-org @aztec monorepo dependency; co-versioned internal package from the Aztec Protocol project. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a standard TypeScript runtime helper; phantom detection is a known false positive for TypeScript monorepos. ai
phantom-deps phantom-dep:@aztec/entrypoints AI (phantom-deps): Same-org @aztec package; phantom detection in monorepo context is a known false positive. ai
typosquat typosquat.levenshtein:koa AI (typosquat): @aztec/bot is a scoped package in the legitimate Aztec Protocol org. Levenshtein match to 'koa' is purely coincidental. ai
typosquat typosquat.levenshtein:joi AI (typosquat): @aztec/bot is a scoped package in the legitimate Aztec Protocol org. Levenshtein match to 'joi' is purely coincidental. ai
typosquat typosquat.levenshtein:zod AI (typosquat): @aztec/bot is a scoped package in the legitimate Aztec Protocol org. Levenshtein match to 'zod' is purely coincidental. ai
bogus-package bogus-package AI (bogus-package): Missing README/repo/keywords are typical of monorepo sub-packages. The 'inherits' field confirms this pattern. 944 versions and 3.7k weekly downloads confirm legitimacy. ai
typosquat typosquat.levenshtein:got AI (typosquat): @aztec/bot is a scoped package in the legitimate Aztec Protocol org. 'bot' refers to a bot utility, not a typosquat of 'got'. Scoped namespace eliminates impersonation risk. ai

Versions (showing 6 of 6)

Version Deps Published
4.3.0 18 / 9
4.2.1 18 / 9
4.2.0 18 / 9
4.1.3 18 / 9
4.1.2 18 / 9
2.0.4 13 / 8

v4.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'got' typosquat

Package name '@aztec/bot' is 1 edit(s) away from popular package 'got'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.