@bitgo/sdk-coin-atom — Greenflagged

BitGo SDK coin library for Cosmos

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

louib-bitgobitgobot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-takeover	AI (maintainer-change): bitgobot is BitGo's automation account with 498 approved packages; consistent with org-wide pipeline migration.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/transactionBuilder.js	AI (source-diff): Compiled TypeScript unit test; standard tsc output pattern.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/transferBuilder.js	AI (source-diff): Compiled TypeScript unit test; standard tsc output pattern.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/utils.js	AI (source-diff): Compiled TypeScript unit test; standard tsc output pattern.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/resources/atom.js	AI (source-diff): Compiled TypeScript test fixture; long lines are base64 test vectors, not obfuscation.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/atom.js	AI (source-diff): Standard tsc-compiled unit test output; readable test logic visible in sample.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/keyPair.js	AI (source-diff): Compiled TypeScript unit test; long lines from test data, not obfuscation.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/StakingActivateBuilder.js	AI (source-diff): Compiled TypeScript unit test; standard tsc output pattern.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/StakingDeactivateBuilder.js	AI (source-diff): Compiled TypeScript unit test; standard tsc output pattern.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/StakingRedelegateBuilder.js	AI (source-diff): Compiled TypeScript unit test; standard tsc output pattern.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/StakingWithdrawRewardsBuilder.js	AI (source-diff): Compiled TypeScript unit test; standard tsc output pattern.	ai	2026/05/24
source-diff	obfuscated-file:dist/test/unit/transaction.js	AI (source-diff): Compiled TypeScript unit test; standard tsc output pattern.	ai	2026/05/24
provenance	publisher-changed	AI (provenance): zahin-mohammad is an established BitGo org publisher with 321 approvals; transition appears legitimate.	ai	2026/05/23
phantom-deps	phantom-dep:@bitgo/sdk-lib-mpc	AI (phantom-deps): Same-org transitive usage; stable false positive for this BitGo monorepo package.	ai	2026/05/17
phantom-deps	phantom-dep:@cosmjs/encoding	AI (phantom-deps): Declared as runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/17

Versions (showing 43 of 43)

Version	Deps	Published
13.13.2	8 / 4	2026-06-04
13.13.1	8 / 4	2026-06-03
13.13.0	8 / 4	2026-06-02
13.12.11	8 / 4	2026-05-28
13.12.10	8 / 4	2026-05-26
13.12.9	8 / 4	2026-05-22
13.12.8	8 / 4	2026-05-14
13.12.7	8 / 4	2026-05-05
13.12.6	8 / 4	2026-04-29
13.11.0	8 / 4	2026-02-12
13.9.9	8 / 4	2025-10-29
13.9.5	8 / 4	2025-10-13
13.9.3	8 / 4	2025-10-08
13.9.2	8 / 4	2025-10-02
13.9.1	8 / 4	2025-09-29
13.9.0	8 / 4	2025-09-25
13.8.2	8 / 4	2025-09-03
13.8.1	8 / 4	2025-08-30
13.8.0	8 / 4	2025-08-29
13.7.1	8 / 4	2025-08-27
13.7.0	8 / 4	2025-08-22
13.6.3	8 / 4	2025-08-22
13.6.2	8 / 4	2025-08-19
13.6.1	8 / 4	2025-08-14
13.6.0	8 / 4	2025-08-07
13.5.11	8 / 4	2025-07-31
13.5.10	8 / 4	2025-07-30
13.5.9	8 / 4	2025-07-25
13.5.8	8 / 4	2025-07-23
13.5.7	8 / 4	2025-07-15
13.5.6	8 / 4	2025-07-10
13.5.5	8 / 4	2025-07-03
13.5.4	8 / 4	2025-06-25
13.5.3	8 / 4	2025-06-24
13.5.2	8 / 4	2025-06-18
13.5.1	8 / 4	2025-06-10
13.5.0	8 / 4	2025-06-05
13.4.14	8 / 4	2025-06-02
13.4.13	8 / 4	2025-05-28
13.4.12	8 / 4	2025-05-22
13.4.11	8 / 4	2025-05-20
13.4.10	8 / 4	2025-05-07
13.4.9	8 / 4	2025-04-29

v13.13.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.13.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.13.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.12.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.12.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.12.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.12.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.12.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.12.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.11.0

14 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: mohammadalfaiyaz_bitgo → bitgobot (on 2026-02-12) provenance

This version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/test/resources/atom.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/atom.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/keyPair.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/StakingActivateBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/StakingDeactivateBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/StakingRedelegateBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/StakingWithdrawRewardsBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transaction.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/transactionBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/transferBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/utils.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.9.9

14 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: mohammadalfaiyaz_bitgo → bitgobot (on 2025-10-29) provenance

This version was published by a different npm account than previous versions on 2025-10-29. This could indicate a legitimate maintainer transition or an account compromise.