@bitgo/sdk-coin-coreum — Greenflagged

BitGo SDK coin library for Coreum

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

louib-bitgobitgobot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/transferBuilder.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/StakingDeactivateBuilder.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/StakingWithdrawRewardsBuilder.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/transactionBuilder.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/resources/coreum.js	AI (source-diff): Compiled TypeScript test fixture; long lines are base64 tx data, not obfuscation.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/unit/coreum.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors, not obfuscation.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/resources/tcoreum.js	AI (source-diff): Compiled TypeScript test fixture with base64 tx data; not obfuscation.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/unit/keyPair.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/unit/transaction.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/unit/utils.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/unit/transactionBuilder/StakingActivateBuilder.js	AI (source-diff): Compiled TypeScript unit test; long lines are test vectors.	ai	2026/05/30
provenance	publisher-changed	AI (provenance): Both publishers are BitGo org accounts; internal maintainer rotation within the same org.	ai	2026/05/18
phantom-deps	phantom-dep:@bitgo/sdk-lib-mpc	AI (phantom-deps): Same-org transitive dep; phantom-dep heuristic false positive for this package.	ai	2026/05/17
phantom-deps	phantom-dep:@cosmjs/encoding	AI (phantom-deps): Declared as a direct dep; phantom-dep heuristic false positive for this package.	ai	2026/05/17

Versions (showing 75 of 75)

Version	Deps	Published
21.9.14	8 / 2	2026-06-04
21.9.13	8 / 2	2026-06-03
21.9.12	8 / 2	2026-06-02
21.9.11	8 / 2	2026-05-28
21.9.10	8 / 2	2026-05-26
21.9.9	8 / 2	2026-05-22
21.9.8	8 / 2	2026-05-14
21.9.7	8 / 2	2026-05-05
21.9.6	8 / 2	2026-04-29
21.9.5	8 / 2	2026-04-28
21.9.4	8 / 2	2026-04-22
21.9.3	8 / 2	2026-04-14
21.9.2	8 / 2	2026-04-10
21.9.1	8 / 2	2026-04-08
21.9.0	8 / 2	2026-03-29
21.8.4	8 / 2	2026-03-27
21.8.3	8 / 2	2026-03-18
21.8.2	8 / 2	2026-03-10
21.8.1	8 / 2	2026-03-05
21.8.0	8 / 2	2026-03-03
21.7.1	8 / 2	2026-02-27
21.7.0	8 / 2	2026-02-24
21.6.2	8 / 2	2026-02-13
21.6.1	8 / 2	2026-02-12
21.6.0	8 / 2	2026-01-30
21.5.24	8 / 2	2026-01-22
21.5.22	8 / 2	2026-01-14
21.5.21	8 / 2	2026-01-07
21.5.20	8 / 2	2025-12-23
21.5.19	8 / 2	2025-12-17
21.5.18	8 / 2	2025-12-11
21.5.17	8 / 2	2025-12-05
21.5.16	8 / 2	2025-12-04
21.5.15	8 / 2	2025-11-26
21.5.14	8 / 2	2025-11-19
21.5.13	8 / 2	2025-11-13
21.5.12	8 / 2	2025-11-12
21.5.11	8 / 2	2025-11-06
21.5.10	8 / 2	2025-10-31
21.5.9	8 / 2	2025-10-29
21.5.8	8 / 2	2025-10-24
21.5.7	8 / 2	2025-10-21
21.5.6	8 / 2	2025-10-16
21.5.4	8 / 2	2025-10-09
21.5.3	8 / 2	2025-10-08
21.5.2	8 / 2	2025-10-02
21.5.1	8 / 2	2025-09-29
21.5.0	8 / 2	2025-09-25
21.4.2	8 / 2	2025-09-03
21.4.1	8 / 2	2025-08-30
21.4.0	8 / 2	2025-08-29
21.3.1	8 / 2	2025-08-27
21.3.0	8 / 2	2025-08-22
21.2.3	8 / 2	2025-08-22
21.2.2	8 / 2	2025-08-19
21.2.1	8 / 2	2025-08-14
21.2.0	8 / 2	2025-08-07
21.1.11	8 / 2	2025-07-31
21.1.10	8 / 2	2025-07-30
21.1.9	8 / 2	2025-07-25
21.1.8	8 / 2	2025-07-23
21.1.7	8 / 2	2025-07-15
21.1.6	8 / 2	2025-07-10
21.1.5	8 / 2	2025-07-03
21.1.4	8 / 2	2025-06-25
21.1.3	8 / 2	2025-06-24
21.1.2	8 / 2	2025-06-18
21.1.1	8 / 2	2025-06-10
21.1.0	8 / 2	2025-06-05
21.0.52	8 / 2	2025-06-02
21.0.51	8 / 2	2025-05-28
21.0.50	8 / 2	2025-05-22
21.0.49	8 / 2	2025-05-20
21.0.48	8 / 2	2025-05-07
21.0.47	8 / 2	2025-04-29

v21.9.14

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.5

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-04-28) provenance

This version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.4

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-04-22) provenance

This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.3

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-04-14) provenance

This version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.2

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-04-10) provenance

This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.1

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-04-08) provenance

This version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.9.0

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-03-29) provenance

This version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.8.4

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-03-27) provenance

This version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.8.3

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-03-18) provenance

This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.8.2

2 findings

HIGH Publisher changed: bitgobot → GitHub Actions (on 2026-03-10) provenance

This version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.8.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.7.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.6.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.24

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.22

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.21

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.20

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.19

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.17

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.16

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.5.4

13 findings

HIGH Publisher changed: mohammadalfaiyaz_bitgo → bitgobot (on 2025-10-09) provenance

This version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/test/resources/coreum.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/coreum.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/keyPair.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/StakingActivateBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/StakingDeactivateBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/StakingWithdrawRewardsBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/resources/tcoreum.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transaction.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/transactionBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/transactionBuilder/transferBuilder.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/test/unit/utils.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.5.3

13 findings

HIGH Publisher changed: mohammadalfaiyaz_bitgo → bitgobot (on 2025-10-08) provenance

This version was published by a different npm account than previous versions on 2025-10-08. This could indicate a legitimate maintainer transition or an account compromise.