@bitgo/key-card
key card generator for BitGo wallets
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): BitGo org-wide consolidation to bitgobot CI publisher; consistent across their monorepo packages. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): bitgobot is BitGo's CI publisher account with 90 approved packages. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Individual BitGo developer accounts replaced by org bot; consistent org-wide pattern. | ai | |
| provenance | publisher-changed | AI (provenance): pranavjain is an established BitGo org publisher (54 approved); routine maintainer rotation within the org. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established SDK sub-package; sparse README and no keywords are expected for internal monorepo modules. | ai |
Versions (showing 76 of 76)
| Version | Deps | Published |
|---|---|---|
| 0.30.0 | 5 / 1 | |
| 0.29.6 | 5 / 1 | |
| 0.29.5 | 5 / 1 | |
| 0.29.4 | 5 / 1 | |
| 0.29.3 | 5 / 1 | |
| 0.29.2 | 5 / 1 | |
| 0.29.1 | 5 / 1 | |
| 0.29.0 | 5 / 1 | |
| 0.28.41 | 5 / 1 | |
| 0.28.40 | 5 / 1 | |
| 0.28.39 | 5 / 1 | |
| 0.28.38 | 5 / 1 | |
| 0.28.37 | 5 / 1 | |
| 0.28.36 | 5 / 1 | |
| 0.28.35 | 5 / 1 | |
| 0.28.34 | 5 / 1 | |
| 0.28.33 | 5 / 1 | |
| 0.28.32 | 5 / 1 | |
| 0.28.31 | 5 / 1 | |
| 0.28.30 | 5 / 1 | |
| 0.28.29 | 5 / 1 | |
| 0.28.28 | 5 / 1 | |
| 0.28.27 | 5 / 1 | |
| 0.28.26 | 5 / 1 | |
| 0.28.25 | 5 / 1 | |
| 0.28.24 | 5 / 1 | |
| 0.28.22 | 5 / 1 | |
| 0.28.21 | 5 / 1 | |
| 0.28.20 | 5 / 1 | |
| 0.28.19 | 5 / 1 | |
| 0.28.18 | 5 / 1 | |
| 0.28.17 | 5 / 1 | |
| 0.28.16 | 5 / 1 | |
| 0.28.15 | 5 / 1 | |
| 0.28.14 | 5 / 1 | |
| 0.28.13 | 5 / 1 | |
| 0.28.12 | 5 / 1 | |
| 0.28.11 | 5 / 1 | |
| 0.28.10 | 5 / 1 | |
| 0.28.9 | 5 / 1 | |
| 0.28.8 | 5 / 1 | |
| 0.28.7 | 5 / 1 | |
| 0.28.6 | 5 / 1 | |
| 0.28.5 | 5 / 1 | |
| 0.28.4 | 5 / 1 | |
| 0.28.3 | 5 / 1 | |
| 0.28.2 | 5 / 1 | |
| 0.28.1 | 5 / 1 | |
| 0.28.0 | 5 / 1 | |
| 0.27.4 | 5 / 1 | |
| 0.27.3 | 5 / 1 | |
| 0.27.2 | 5 / 1 | |
| 0.27.1 | 5 / 1 | |
| 0.27.0 | 5 / 1 | |
| 0.26.6 | 5 / 1 | |
| 0.26.5 | 5 / 1 | |
| 0.26.4 | 5 / 1 | |
| 0.26.3 | 5 / 1 | |
| 0.26.2 | 5 / 1 | |
| 0.26.1 | 5 / 1 | |
| 0.26.0 | 5 / 1 | |
| 0.25.0 | 5 / 1 | |
| 0.24.14 | 5 / 1 | |
| 0.24.13 | 5 / 1 | |
| 0.24.12 | 5 / 1 | |
| 0.24.11 | 5 / 1 | |
| 0.24.10 | 5 / 1 | |
| 0.24.9 | 5 / 1 | |
| 0.24.8 | 5 / 1 | |
| 0.24.7 | 5 / 1 | |
| 0.24.6 | 5 / 1 | |
| 0.24.5 | 5 / 1 | |
| 0.24.4 | 5 / 1 | |
| 0.24.3 | 5 / 1 | |
| 0.24.2 | 5 / 1 | |
| 0.24.1 | 5 / 1 |
v0.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.40
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.39
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.38
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.37
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.36
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.35
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.34
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.33
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.32
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.31
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.30
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.29
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-02-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.28
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.27
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-02-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.26
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.25
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.24
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.22
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.21
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.20
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-12-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.19
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.18
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.17
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-12-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.16
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-12-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.15
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-11-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.14
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-11-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.13
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-11-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.12
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-11-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.11
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.10
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-31. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.9
3 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.8
2 findingsThis version was published by a different npm account than previous versions on 2025-10-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.7
2 findingsThis version was published by a different npm account than previous versions on 2025-10-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.6
2 findingsThis version was published by a different npm account than previous versions on 2025-10-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.5
2 findingsThis version was published by a different npm account than previous versions on 2025-10-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.4
2 findingsThis version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.3
2 findingsThis version was published by a different npm account than previous versions on 2025-10-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.2
2 findingsThis version was published by a different npm account than previous versions on 2025-10-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.1
2 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.4
2 findingsThis version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.1
2 findingsThis version was published by a different npm account than previous versions on 2025-08-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.3
2 findingsThis version was published by a different npm account than previous versions on 2025-08-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.2
2 findingsThis version was published by a different npm account than previous versions on 2025-07-31. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.1
2 findingsThis version was published by a different npm account than previous versions on 2025-07-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.0
2 findingsThis version was published by a different npm account than previous versions on 2025-07-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.0
2 findingsThis version was published by a different npm account than previous versions on 2025-07-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.14
2 findingsThis version was published by a different npm account than previous versions on 2025-07-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.7
2 findingsThis version was published by a different npm account than previous versions on 2025-06-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.6
2 findingsThis version was published by a different npm account than previous versions on 2025-06-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.5
2 findingsThis version was published by a different npm account than previous versions on 2025-05-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.