@interchainjs/ethereum — Greenflagged

Transaction codec and client to communicate with ethereum blockchain

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pyramationzetazz

Keywords

ethereumblockchaintransaction

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() is used in a standard Proxy trap pattern for dynamic contract property access — normal for an Ethereum contract encoding library, not obfuscation.	ai	2026/04/23
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding via Buffer.from(hex, 'hex') is standard encoding utility code in an Ethereum library; no malicious payload present.	ai	2026/04/23
dependencies	unvetted-dep:ethereum-cryptography	AI (dependencies): ethereum-cryptography is a standard, widely-used Ethereum cryptography library; expected for this package's purpose.	ai	2026/04/23
dependencies	unvetted-dep:rlp	AI (dependencies): rlp is a well-known Ethereum RLP encoding library; expected dependency for an Ethereum transaction codec package.	ai	2026/04/23
dependencies	unvetted-dep:@interchainjs/auth	AI (dependencies): Sibling package from the same publisher (zetazz/Hyperweb) with a strong track record; expected internal dependency.	ai	2026/04/23
dependencies	unvetted-dep:@interchainjs/utils	AI (dependencies): Sibling package from the same publisher (zetazz/Hyperweb) with a strong track record; expected internal dependency.	ai	2026/04/23
dependencies	unvetted-dep:@ethersproject/transactions	AI (dependencies): Part of the well-known ethers.js v5 suite; expected dependency for an Ethereum transaction codec.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): pyramation is the hyperweb-io/interchainjs monorepo maintainer with 2681 approved packages and 0 rejected. The transition from zetazz to pyramation reflects a legitimate organizational handoff within the same project.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): @interchainjs/encoding is a sibling package in the same monorepo/namespace, published by the same maintainer. Intra-monorepo dependency additions are routine refactoring.	ai	2026/04/23
phantom-deps	phantom-dep:@noble/hashes	AI (phantom-deps): Declared in package.json for transitive/config use in a monorepo context; not a security concern for this Ethereum library.	ai	2026/04/21
phantom-deps	phantom-dep:@ethersproject/transactions	AI (phantom-deps): Ethersproject packages declared for config/transitive use; standard pattern in Ethereum libraries.	ai	2026/04/21
phantom-deps	phantom-dep:@ethersproject/bignumber	AI (phantom-deps): Ethersproject packages declared for config/transitive use; standard pattern in Ethereum libraries.	ai	2026/04/21
phantom-deps	phantom-dep:@ethersproject/bytes	AI (phantom-deps): Ethersproject packages declared for config/transitive use; standard pattern in Ethereum libraries.	ai	2026/04/21
phantom-deps	phantom-dep:@ethersproject/hash	AI (phantom-deps): Ethersproject packages declared for config/transitive use; standard pattern in Ethereum libraries.	ai	2026/04/21

Versions (showing 74 of 74)

Version	Deps	Published
1.21.0	14 / 8	2026-03-01
1.20.0	14 / 8	2026-03-01
1.19.2	13 / 8	2026-02-27
1.19.1	13 / 8	2025-12-16
1.19.0	13 / 8	2025-12-11
1.18.0	13 / 8	2025-10-14
1.17.8	13 / 8	2025-10-02
1.17.7	13 / 8	2025-10-02
1.17.6	13 / 8	2025-09-22
1.17.5	13 / 8	2025-09-16
1.17.4	13 / 7	2025-09-11
1.17.3	13 / 7	2025-08-26
1.17.2	13 / 7	2025-08-25
1.17.1	13 / 7	2025-08-22
1.17.0	13 / 7	2025-08-22
1.16.7	13 / 7	2025-08-19
1.16.6	13 / 7	2025-08-18
1.16.5	13 / 7	2025-08-18
1.16.4	13 / 7	2025-08-18
1.16.3	13 / 7	2025-08-14
1.16.2	13 / 7	2025-08-14
1.16.1	13 / 7	2025-08-14
1.16.0	13 / 7	2025-08-14
1.13.5	13 / 7	2025-08-13
1.13.0	12 / 6	2025-08-06
1.12.2	12 / 6	2025-08-06
1.12.1	12 / 6	2025-08-05
1.12.0	12 / 6	2025-08-03
1.11.18	9 / 2	2025-06-20
1.11.15	10 / 2	2025-06-08
1.11.14	10 / 2	2025-06-04
1.11.13	10 / 2	2025-06-03
1.11.12	10 / 2	2025-05-29
1.11.11	10 / 2	2025-05-22
1.11.10	10 / 2	2025-05-15
1.11.9	10 / 2	2025-05-10
1.11.8	10 / 2	2025-05-09
1.11.7	10 / 2	2025-05-09
1.11.6	10 / 2	2025-05-08
1.11.5	10 / 2	2025-04-24
1.11.4	10 / 2	2025-04-21
1.11.3	10 / 2	2025-04-21
1.11.2	10 / 2	2025-04-15
1.11.1	10 / 2	2025-04-14
1.11.0	10 / 2	2025-04-09
1.10.1	10 / 2	2025-04-07
1.10.0	10 / 2	2025-03-21
1.9.16	10 / 2	2025-03-18
1.9.15	10 / 0	2025-03-13
1.9.14	10 / 0	2025-03-03
1.9.13	10 / 0	2025-02-21
1.9.12	10 / 0	2025-02-17
1.9.11	10 / 0	2025-02-14
1.9.6	10 / 0	2025-02-14
1.9.5	10 / 0	2025-02-14
1.9.4	8 / 0	2025-02-12
1.8.3	8 / 0	2025-02-07
1.8.2	8 / 0	2025-01-29
1.8.1	8 / 0	2025-01-29
1.8.0	8 / 0	2025-01-28
1.7.10	8 / 0	2025-01-28
1.7.9	8 / 0	2025-01-27
1.7.8	8 / 0	2025-01-26
1.7.6	8 / 0	2025-01-22
1.7.5	8 / 0	2025-01-22
1.7.1	8 / 0	2025-01-22
1.7.0	8 / 0	2025-01-13
1.6.3	8 / 0	2024-12-17
1.6.2	8 / 0	2024-12-17
1.6.1	8 / 0	2024-12-17
1.6.0	8 / 0	2024-12-17
0.0.8	7 / 0	2024-04-03
0.0.7	7 / 0	2024-04-03
0.0.6	7 / 0	2024-04-02

v1.21.0

2 findings

HIGH Publisher changed: zetazz → pyramation (on 2026-03-01) provenance

This version was published by a different npm account than previous versions on 2026-03-01. This could indicate a legitimate maintainer transition or an account compromise.