@coinbase/cdp-hooks
This package provides React hooks for conveniently accessing embedded wallet functionality. Built on top of `@coinbase/cdp-core`, it offers a React-friendly interface for end user authentication and embedded wallet operations.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/esm/index143.js | AI (source-diff): Long hex string is EVM bytecode for a deployless balance-check contract; stable pattern in this package. | ai | |
| provenance | publisher-changed | AI (provenance): Coinbase org migrated publishing to GitHub Actions CI/CD; consistent with org-level automation across their CDP package suite. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Explicitly declared placeholder package by a trusted publisher; minimal payload and no deps are expected. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Intentional placeholder by Coinbase; 0.0.0 is the declared placeholder version, not a malicious throwaway. | ai | |
| source-diff | encoded-string-file:dist/esm/index121.js | AI (source-diff): Long hex string is EVM bytecode for a deployless balance-check contract; standard viem pattern, not obfuscated payload. | ai | |
| source-diff | encoded-string-file:dist/esm/index107.js | AI (source-diff): Hex strings are EVM bytecode for smart contract deployment, standard for Coinbase CDP SDK. | ai | |
| source-diff | encoded-string-file:dist/esm/index124.js | AI (source-diff): EVM bytecode for a deployless balance-check contract; standard viem/CDP pattern, not obfuscated malware. | ai | |
| source-diff | encoded-string-file:dist/esm/index129.js | AI (source-diff): Long hex string is EVM contract bytecode for a deployless balance-check call; stable pattern in this package. | ai | |
| source-diff | encoded-string-file:dist/esm/index123.js | AI (source-diff): String is EVM contract bytecode for a deployless balance-check call, a documented viem/CDP pattern, not obfuscated malware. | ai | |
| source-diff | encoded-string-file:dist/esm/index122.js | AI (source-diff): EVM bytecode for a deployless balance-check contract; standard viem pattern, not obfuscated payload. | ai | |
| source-diff | encoded-string-file:dist/esm/index105.js | AI (source-diff): Long hex strings are EVM bytecode for smart contract deployment, expected in Coinbase CDP SDK. | ai | |
| source-diff | encoded-string-file:dist/esm/index103.js | AI (source-diff): Hex strings are EVM contract bytecode, standard in Coinbase CDP SDK; not obfuscated malicious payload. | ai | |
| source-diff | encoded-string-file:dist/esm/index102.js | AI (source-diff): Hex strings are EVM bytecode for smart contract deployment — standard pattern in Coinbase CDP SDK. | ai | |
| source-diff | encoded-string-file:dist/esm/index140.js | AI (source-diff): Long hex string is EVM bytecode for a deployless getBalance call — standard pattern in this Coinbase CDP SDK. | ai |
Versions (showing 51 of 106)
| Version | Deps | Published |
|---|---|---|
| 0.0.110 | 0 / 13 | |
| 0.0.109 | 0 / 13 | |
| 0.0.108 | 0 / 13 | |
| 0.0.107 | 0 / 13 | |
| 0.0.106 | 0 / 13 | |
| 0.0.105 | 0 / 13 | |
| 0.0.104 | 0 / 13 | |
| 0.0.103 | 0 / 13 | |
| 0.0.102 | 0 / 13 | |
| 0.0.101 | 0 / 13 | |
| 0.0.100 | 0 / 13 | |
| 0.0.99 | 0 / 13 | |
| 0.0.98 | 0 / 13 | |
| 0.0.97 | 0 / 13 | |
| 0.0.96 | 0 / 13 | |
| 0.0.95 | 0 / 13 | |
| 0.0.94 | 0 / 13 | |
| 0.0.93 | 0 / 13 | |
| 0.0.92 | 0 / 13 | |
| 0.0.91 | 0 / 13 | |
| 0.0.90 | 0 / 13 | |
| 0.0.89 | 0 / 13 | |
| 0.0.88 | 0 / 13 | |
| 0.0.87 | 0 / 13 | |
| 0.0.86 | 0 / 13 | |
| 0.0.85 | 0 / 13 | |
| 0.0.84 | 0 / 13 | |
| 0.0.83 | 0 / 13 | |
| 0.0.82 | 0 / 13 | |
| 0.0.81 | 0 / 13 | |
| 0.0.80 | 0 / 13 | |
| 0.0.79 | 0 / 13 | |
| 0.0.78 | 0 / 13 | |
| 0.0.77 | 0 / 13 | |
| 0.0.76 | 0 / 13 | |
| 0.0.75 | 0 / 13 | |
| 0.0.74 | 0 / 13 | |
| 0.0.73 | 0 / 13 | |
| 0.0.72 | 0 / 13 | |
| 0.0.71 | 0 / 13 | |
| 0.0.70 | 0 / 13 | |
| 0.0.69 | 0 / 13 | |
| 0.0.68 | 0 / 13 | |
| 0.0.67 | 0 / 13 | |
| 0.0.66 | 0 / 13 | |
| 0.0.65 | 0 / 13 | |
| 0.0.64 | 0 / 13 | |
| 0.0.63 | 0 / 13 | |
| 0.0.62 | 0 / 13 | |
| 0.0.61 | 0 / 13 | |
| 0.0.60 | 0 / 13 |
v0.0.110
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.109
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.107
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.106
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.105
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.103
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.101
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.100
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.99
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.98
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.97
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.96
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.95
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.94
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.93
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.92
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.91
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.90
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.89
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.88
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.87
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.86
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.85
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.84
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.83
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.82
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.81
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.80
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.79
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.78
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.77
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.76
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.75
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.74
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.73
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.70
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.69
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.68
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.67
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.66
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.65
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.