@galacticcouncil/descriptors

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

nohaapavmrq

Keywords

hydrationdescriptorspapipolkadot-api

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:build/hydration_metadata-DoY1YTM3.js	AI (source-diff): Base64-encoded SCALE metadata blob generated by polkadot-api papi codegen; not obfuscation.	ai	2026/06/05
source-diff	obfuscated-file:build/descriptors-DJswfQ2o.js	AI (source-diff): JSON descriptor map (chain pallet/type indices) generated by polkadot-api papi codegen; not obfuscation.	ai	2026/06/05
source-diff	obfuscated-file:build/metadataTypes-CL-5_ecF.js	AI (source-diff): Base64-encoded SCALE metadata types blob generated by polkadot-api papi codegen; not obfuscation.	ai	2026/06/05
source-diff	obfuscated-file:build/hub_metadata-BEYst3UH.js	AI (source-diff): Base64-encoded SCALE metadata blob generated by polkadot-api papi codegen; not obfuscation.	ai	2026/06/05
source-diff	obfuscated-file:build/hydrationIce_metadata-BIAV-HuW.js	AI (source-diff): Base64-encoded SCALE Substrate runtime metadata; standard papi build artifact.	ai	2026/06/04
source-diff	obfuscated-file:build/metadataTypes-UA9qo26T.js	AI (source-diff): Base64-encoded SCALE metadata types; standard papi build artifact.	ai	2026/06/04
source-diff	obfuscated-file:build/descriptors-mWRT2eC8.js	AI (source-diff): papi-generated chain descriptor JSON lookup table; long lines are structural, not obfuscation.	ai	2026/06/04
source-diff	obfuscated-file:build/metadataTypes-FWGCMXKE.mjs	AI (source-diff): papi codegen output: base64-encoded SCALE metadata types blob, not obfuscated malicious code.	ai	2026/06/03
source-diff	obfuscated-file:build/descriptors-XM6FUHC6.mjs	AI (source-diff): papi codegen output: JSON-encoded blockchain type descriptors, not obfuscated malicious code.	ai	2026/06/03
source-diff	obfuscated-file:build/hydrationNext_metadata-JS33IKHG.mjs	AI (source-diff): Base64-encoded SCALE chain metadata blob generated by polkadot-api CLI; not obfuscation.	ai	2026/06/02
source-diff	obfuscated-file:build/hub_metadata-FK4DOCYZ.mjs	AI (source-diff): Base64-encoded SCALE chain metadata blob generated by polkadot-api CLI; not obfuscation.	ai	2026/06/02
source-diff	obfuscated-file:build/hydration_metadata-MASHB2ZL.mjs	AI (source-diff): Base64-encoded SCALE chain metadata blob generated by polkadot-api CLI; not obfuscation.	ai	2026/06/02
source-diff	obfuscated-file:build/metadataTypes-U2QC4OUM.mjs	AI (source-diff): Base64-encoded SCALE type metadata generated by polkadot-api CLI; not obfuscation.	ai	2026/06/02
source-diff	obfuscated-file:build/descriptors-I4USDHXR.mjs	AI (source-diff): Minified JSON descriptor tree from polkadot-api CLI output; not obfuscation.	ai	2026/06/02
source-diff	obfuscated-file:build/hydrationNext.d.ts	AI (source-diff): Long single-line TypeScript declaration file with generated type names from polkadot-api; not obfuscation.	ai	2026/06/02
source-diff	obfuscated-file:build/hydration_metadata-KGTJ7Y2K.mjs	AI (source-diff): Base64-encoded Substrate chain metadata blob; standard papi descriptor build output.	ai	2026/06/02
source-diff	obfuscated-file:build/metadataTypes-RIF3Y4T4.mjs	AI (source-diff): Base64-encoded SCALE metadata types; standard papi descriptor build output.	ai	2026/06/02
source-diff	obfuscated-file:build/descriptors-IW6WQTTP.mjs	AI (source-diff): Generated polkadot-api descriptor JSON; long lines are serialized SCALE type mappings, not obfuscation.	ai	2026/06/02
source-diff	obfuscated-file:build/hub_metadata-VJMVMCZ3.mjs	AI (source-diff): Base64-encoded Substrate chain metadata blob; standard papi descriptor build output.	ai	2026/06/02
source-diff	obfuscated-file:build/metadataTypes-EDB66P6C.mjs	AI (source-diff): Base64-encoded metadata types; standard papi descriptor build output.	ai	2026/06/01
source-diff	obfuscated-file:build/descriptors-I7ZFETXF.mjs	AI (source-diff): Polkadot chain descriptor JSON data; expected build artifact for papi descriptor packages.	ai	2026/06/01
source-diff	obfuscated-file:build/hub_metadata-YPWNLSXS.mjs	AI (source-diff): Base64-encoded Substrate chain metadata; standard papi descriptor build output.	ai	2026/06/01
source-diff	obfuscated-file:build/hydration_metadata-O7WNNEDP.mjs	AI (source-diff): Base64-encoded Substrate chain metadata; standard papi descriptor build output.	ai	2026/06/01
source-diff	encoded-string-file:build/index.js	AI (source-diff): Encoded strings are SCALE metadata constants inlined by papi build tooling; not malicious.	ai	2026/06/01
source-diff	obfuscated-file:build/descriptors-TDS6LXED.mjs	AI (source-diff): Generated polkadot-api SCALE metadata descriptor; long lines are JSON-encoded type trees, not obfuscation.	ai	2026/06/01
source-diff	obfuscated-file:build/hub_metadata-YQZLTZT5.mjs	AI (source-diff): Base64-encoded Substrate chain metadata blob; standard papi descriptor output.	ai	2026/06/01
source-diff	obfuscated-file:build/hydration_metadata-BZFC4ZOL.mjs	AI (source-diff): Base64-encoded Substrate chain metadata blob; standard papi descriptor output.	ai	2026/06/01
source-diff	obfuscated-file:build/metadataTypes-76253QQB.mjs	AI (source-diff): Base64-encoded SCALE metadata types; standard papi descriptor output.	ai	2026/06/01
npm-metadata	url-dep:@polkadot-api/descriptors	AI (npm-metadata): Same file: dep pattern; locally generated papi descriptors, stable for this package.	ai	2026/05/30
phantom-deps	phantom-dep:@polkadot-api/descriptors	AI (phantom-deps): Generated descriptor artifact; not directly imported in source but re-exported via build output.	ai	2026/05/30
dependencies	unvetted-dep:@polkadot-api/descriptors	AI (dependencies): file: dep is a papi-generated local artifact bundled at build time; not a registry bypass risk for this package.	ai	2026/05/30
source-diff	obfuscated-file:build/metadataTypes-DNtPDaV_.js	AI (source-diff): SCALE-encoded metadata type registry; standard papi codegen artifact, not obfuscated malware.	ai	2026/05/20
source-diff	encoded-string-file:build/metadataTypes.d.ts	AI (source-diff): Type declaration mirrors the SCALE-encoded metadata content string; expected for papi descriptor packages.	ai	2026/05/20
source-diff	obfuscated-file:build/descriptors-CAHi7U8S.js	AI (source-diff): papi-generated descriptor bundle; large JSON hydration maps are normal codegen output for polkadot-api packages.	ai	2026/05/20

Versions (showing 12 of 12)

Version	Deps	Published
2.3.0	0 / 1	2026-05-29
2.2.0	0 / 1	2026-05-20
2.1.0	0 / 1	2026-05-03
2.0.0	0 / 1	2026-04-28
1.16.0	0 / 1	2026-04-14
1.11.0	0 / 1	2026-02-12
1.10.0	0 / 1	2026-02-01
1.9.0	0 / 1	2026-01-23
1.8.0	0 / 1	2026-01-12
1.7.0	0 / 1	2025-12-09
1.6.0	0 / 1	2025-12-05
1.5.1	1 / 1	2025-11-11

v2.3.0

6 findings

HIGH New obfuscated file: build/descriptors-DJswfQ2o.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hub_metadata-BEYst3UH.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydration_metadata-DoY1YTM3.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydrationIce_metadata-BIAV-HuW.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/metadataTypes-CL-5_ecF.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

4 findings

HIGH New obfuscated file: build/descriptors-mWRT2eC8.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydrationIce_metadata-BIAV-HuW.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/metadataTypes-UA9qo26T.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

4 findings

HIGH New obfuscated file: build/descriptors-CAHi7U8S.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/metadataTypes-DNtPDaV_.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: build/metadataTypes.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.16.0

9 findings

HIGH New obfuscated file: build/descriptors-I4USDHXR.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hub_metadata-FK4DOCYZ.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydration_metadata-MASHB2ZL.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydrationNext_metadata-JS33IKHG.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/metadataTypes-U2QC4OUM.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydrationNext.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: build/index.js source-diff

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/metadataTypes.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.11.0

7 findings

HIGH New obfuscated file: build/descriptors-TDS6LXED.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hub_metadata-YQZLTZT5.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydration_metadata-BZFC4ZOL.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/metadataTypes-76253QQB.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: build/index.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/metadataTypes.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.10.0

7 findings

HIGH New obfuscated file: build/descriptors-IW6WQTTP.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hub_metadata-VJMVMCZ3.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydration_metadata-KGTJ7Y2K.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/metadataTypes-RIF3Y4T4.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: build/index.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/metadataTypes.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.0

7 findings

HIGH New obfuscated file: build/descriptors-XM6FUHC6.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hub_metadata-VJMVMCZ3.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/hydration_metadata-KGTJ7Y2K.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/metadataTypes-FWGCMXKE.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: build/index.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/metadataTypes.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.0