← Home

@bitgo-beta/sdk-coin-ethlike

npm Repository Homepage

BitGo SDK coin library for EthLike coins

2
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bitgobot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/test/resources.js AI (source-diff): Compiled test resource file; long lines are hex-encoded bytecode constants, not obfuscation. ai
source-diff obfuscated-file:dist/test/fixtures/ethlikeCoin.js AI (source-diff): Compiled TypeScript test fixture; long lines are inline hex/data blobs, not obfuscation. ai
source-diff obfuscated-file:dist/test/unit/ethlikeCoin.js AI (source-diff): Standard tsc-compiled test file with CommonJS boilerplate; not obfuscated. ai
phantom-deps phantom-dep:@bitgo-beta/secp256k1 AI (phantom-deps): Same-org dep likely used transitively via abstract-eth; stable false positive for this package. ai
source-diff obfuscated-file:dist/test/unit/walletInitialization.js AI (source-diff): Standard tsc-compiled test file; not obfuscated. ai
source-diff source-size-tripled AI (source-diff): Size increase explained by newly included compiled test files in dist/. ai
phantom-deps phantom-dep:ethereumjs-util AI (phantom-deps): ethereumjs-util is a declared runtime dependency in package.json; phantom-dep is a false positive here. ai

Versions (showing 2 of 2)

Version Deps Published
2.5.0 6 / 2
1.0.0 5 / 3

v2.5.0

5 findings
HIGH New obfuscated file: dist/test/fixtures/ethlikeCoin.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/ethlikeCoin.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/resources.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/walletInitialization.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.