@interchainjs/cosmos — Greenflagged

Transaction codec and client to communicate with any cosmos blockchain

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pyramationzetazz

Keywords

cosmosblockchaintransaction

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): pyramation is the primary hyperweb-io org maintainer with 2736 approved packages and no rejections; transition from zetazz is a legitimate org consolidation within the same monorepo.	ai	2026/04/23
phantom-deps	phantom-dep:bech32	AI (phantom-deps): Bech32 is core to Cosmos address encoding; used indirectly.	ai	2026/04/21
phantom-deps	phantom-dep:decimal.js	AI (phantom-deps): Declared dep used indirectly; common monorepo pattern.	ai	2026/04/21
phantom-deps	phantom-dep:bignumber.js	AI (phantom-deps): Declared dep used indirectly; common monorepo pattern.	ai	2026/04/21
phantom-deps	phantom-dep:@noble/curves	AI (phantom-deps): Crypto dep used indirectly for key operations; expected for blockchain SDK.	ai	2026/04/21
phantom-deps	phantom-dep:ws	AI (phantom-deps): Declared dep used indirectly via sub-modules; common monorepo pattern.	ai	2026/04/21
phantom-deps	phantom-dep:@interchainjs/crypto	AI (phantom-deps): Same-org sibling package used indirectly; monorepo pattern.	ai	2026/04/21
semgrep	semgrep:hex-decode	AI (semgrep): Standard blockchain hex-to-base64 hash conversion; no obfuscation, clearly readable utility code in a Cosmos transaction library.	ai	2026/04/21
semgrep	semgrep:base64-decode	AI (semgrep): Standard base64 decoding of blockchain response data (block hashes); benign and expected in a Cosmos client library.	ai	2026/04/21
phantom-deps	phantom-dep:@noble/hashes	AI (phantom-deps): Crypto dep used indirectly for hashing; expected for blockchain SDK.	ai	2026/04/21

Versions (showing 51 of 77)

View all versions

Version	Deps	Published
1.21.0	16 / 6	2026-03-01
1.20.0	16 / 6	2026-03-01
1.19.4	16 / 6	2026-02-27
1.19.3	16 / 6	2025-12-30
1.19.2	16 / 6	2025-12-16
1.19.1	16 / 6	2025-12-16
1.19.0	16 / 6	2025-12-11
1.18.0	16 / 6	2025-10-14
1.17.8	16 / 6	2025-10-02
1.17.7	16 / 6	2025-10-02
1.17.6	16 / 6	2025-09-22
1.17.5	14 / 6	2025-09-16
1.17.4	14 / 5	2025-09-11
1.17.3	14 / 5	2025-08-26
1.17.2	14 / 5	2025-08-25
1.17.1	14 / 5	2025-08-22
1.17.0	14 / 5	2025-08-22
1.16.7	14 / 5	2025-08-19
1.16.6	14 / 5	2025-08-18
1.16.5	14 / 5	2025-08-18
1.16.4	14 / 5	2025-08-18
1.16.3	14 / 5	2025-08-14
1.16.2	14 / 5	2025-08-14
1.16.1	14 / 5	2025-08-14
1.16.0	14 / 5	2025-08-14
1.13.5	14 / 5	2025-08-13
1.13.0	9 / 0	2025-08-06
1.12.2	9 / 0	2025-08-06
1.12.1	9 / 0	2025-08-05
1.12.0	9 / 0	2025-08-03
1.11.18	7 / 0	2025-06-20
1.11.15	7 / 0	2025-06-08
1.11.14	7 / 0	2025-06-04
1.11.13	7 / 0	2025-06-03
1.11.12	7 / 0	2025-05-29
1.11.11	7 / 0	2025-05-22
1.11.10	7 / 0	2025-05-15
1.11.9	7 / 0	2025-05-10
1.11.8	7 / 0	2025-05-09
1.11.7	7 / 0	2025-05-09
1.11.6	7 / 0	2025-05-08
1.11.5	7 / 0	2025-04-24
1.11.4	9 / 0	2025-04-21
1.11.3	9 / 0	2025-04-21
1.11.2	9 / 0	2025-04-15
1.11.1	9 / 0	2025-04-14
1.11.0	9 / 0	2025-04-09
1.10.1	9 / 0	2025-04-07
1.10.0	9 / 0	2025-03-21
1.9.16	9 / 0	2025-03-18
1.9.15	9 / 0	2025-03-13

v1.21.0

2 findings

HIGH Publisher changed: zetazz → pyramation (on 2026-03-01) provenance

This version was published by a different npm account than previous versions on 2026-03-01. This could indicate a legitimate maintainer transition or an account compromise.