@bitgo-beta/sdk-coin-algo
BitGo SDK coin library for Algorand
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): bitgoaaron → bitgobot is a legitimate BitGo org transition to automated publishing. | ai | |
| source-diff | obfuscated-file:dist/test/integration/algo.integration.js | AI (source-diff): Compiled TypeScript test file; long lines from inline test data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/fixtures/algo.js | AI (source-diff): Test fixture data file; long lines are serialized test wallet/transaction data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/algo.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate with long inline test vectors. | ai | |
| source-diff | obfuscated-file:dist/test/unit/algoIsWalletAddress.js | AI (source-diff): Compiled TypeScript unit test; long lines from inline test data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/algoToken.js | AI (source-diff): Compiled TypeScript unit test; long lines from inline test data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/assetTransferBuilder.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/base.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/keyPair.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/keyRegistrationBuilder.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/fixtures/resources.js | AI (source-diff): Test fixture data file; long lines are serialized test data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transaction.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/transactionBuilderFactory.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/transferBuilder.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/utils.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/verifyTransaction.js | AI (source-diff): Compiled TypeScript unit test; standard TS boilerplate. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): bitgobot is BitGo's automated publishing account; consistent with org-wide bot-based publishing pattern. | ai | |
| provenance | no-provenance | AI (provenance): BitGo monorepo packages consistently lack Sigstore provenance; stable false positive for this publisher. | ai |
v2.8.8
18 findingsAll previous maintainers (bitgoaaron) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-01-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.