@bitgo/sdk-lib-mpc — Greenflagged

library functions for BitGo's MPC solution

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

louib-bitgobitgobot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/src/tss/eddsa-mps/derive.js	AI (source-diff): Readable compiled TS with long comment lines; not obfuscated. Stable pattern for this package's dist output.	ai	2026/05/29
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of individual maintainers in favor of bitgobot is a known BitGo org-wide consolidation.	ai	2026/05/22
maintainer-change	maintainer-takeover	AI (maintainer-change): BitGo consolidated all package publishing under bitgobot automation account; not a hostile takeover.	ai	2026/05/22
maintainer-change	maintainer-added	AI (maintainer-change): bitgobot is BitGo's org-wide automation publisher; addition is expected.	ai	2026/05/22
source-diff	obfuscated-file:dist/src/tss/eddsa-mps/types.js	AI (source-diff): TypeScript-compiled CJS output; long lines are TS boilerplate helpers, not obfuscation.	ai	2026/05/22
source-diff	obfuscated-file:dist/src/tss/eddsa-mps/commsLayer.js	AI (source-diff): TypeScript-compiled CJS output; long lines are TS boilerplate helpers, not obfuscation. Stable pattern for this package.	ai	2026/05/22
source-diff	obfuscated-file:dist/src/tss/eddsa-mps/dkg.js	AI (source-diff): TypeScript-compiled CJS output with readable DKG class and comments; not obfuscated.	ai	2026/05/22
provenance	publisher-changed	AI (provenance): bitgobot is BitGo's org publishing account with 333 approved packages; publisher transition is organizational, not a takeover.	ai	2026/05/21
phantom-deps	phantom-dep:@types/superagent	AI (phantom-deps): Type-only dependency; not imported at runtime, stable false positive for this package.	ai	2026/05/17

Versions (showing 16 of 16)

Version	Deps	Published
10.14.0	15 / 6	2026-05-22
10.13.0	15 / 6	2026-05-14
10.12.0	15 / 6	2026-04-29
10.11.1	15 / 6	2026-04-28
10.11.0	15 / 6	2026-04-22
10.10.2	14 / 6	2026-04-14
10.10.1	14 / 6	2026-04-10
10.10.0	14 / 6	2026-03-27
10.9.0	14 / 7	2026-01-30
10.8.1	14 / 7	2025-10-09
10.8.0	14 / 7	2025-10-08
10.7.0	14 / 7	2025-08-22
10.6.0	14 / 7	2025-07-03
10.5.0	14 / 7	2025-06-05
10.4.0	14 / 7	2025-06-02
10.3.0	14 / 7	2025-05-22

v10.14.0

2 findings

HIGH New obfuscated file: dist/src/tss/eddsa-mps/derive.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.13.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.11.1

6 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: zahin-mohammad → GitHub Actions (on 2026-04-28) provenance

This version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/src/tss/eddsa-mps/commsLayer.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/src/tss/eddsa-mps/dkg.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/src/tss/eddsa-mps/types.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.11.0

6 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: zahin-mohammad → GitHub Actions (on 2026-04-22) provenance

This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/src/tss/eddsa-mps/commsLayer.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/src/tss/eddsa-mps/dkg.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/src/tss/eddsa-mps/types.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.10.2

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: zahin-mohammad → GitHub Actions (on 2026-04-14) provenance

This version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.10.1

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: zahin-mohammad → GitHub Actions (on 2026-04-10) provenance

This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.10.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: zahin-mohammad → GitHub Actions (on 2026-03-27) provenance

This version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.9.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: zahin-mohammad → bitgobot (on 2026-01-30) provenance

This version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.8.1

2 findings

HIGH Publisher changed: zahin-mohammad → bitgobot (on 2025-10-09) provenance

This version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.8.0

2 findings

HIGH Publisher changed: zahin-mohammad → bitgobot (on 2025-10-08) provenance

This version was published by a different npm account than previous versions on 2025-10-08. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v10.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.