@lombard.finance/sdk
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/chunks/statusConstants-B9JY-9Dm.cjs | AI (source-diff): Minified status constants/error codes bundle; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/chunks/BtcActions-7QjAN6OW.cjs | AI (source-diff): Standard vite/rollup minified output; samples show legitimate BTC deposit/confirmation logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/chunks/config-BfX8lrdO.cjs | AI (source-diff): Minified bundle containing ABI JSON and config constants; no malicious patterns in sample. | ai | |
| source-diff | obfuscated-file:dist/chunks/defi-registry-CyMKVT3z.cjs | AI (source-diff): Minified bundle with DeFi registry constants and ABI; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/chunks/events-CnxJdwys.cjs | AI (source-diff): Minified SDK events/logger bundle; no malicious patterns in sample. | ai | |
| source-diff | obfuscated-file:dist/chunks/EvmActions-D9yTiCR0.cjs | AI (source-diff): Minified EVM actions bundle; sample shows standard fee/signing logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/chunks/get-vault-tvl-dvEPPxvT.cjs | AI (source-diff): Minified vault TVL fetch logic; no malicious patterns in sample. | ai | |
| source-diff | obfuscated-file:dist/chunks/get-vault-withdrawals-Cgx7VsM1.cjs | AI (source-diff): Minified vault withdrawals fetch; no malicious patterns in sample. | ai | |
| source-diff | obfuscated-file:dist/bridge/lib/config.d.ts | AI (source-diff): Long lines are TypeScript union types of chain-ID string pairs, not obfuscated code. | ai | |
| source-diff | encoded-string-file:dist/index2.cjs | AI (source-diff): Long hex strings are EVM contract deployment bytecode, normal for a DeFi bridge SDK. | ai | |
| source-diff | encoded-string-file:dist/index2.js | AI (source-diff): Same as CJS counterpart — EVM bytecode hex literals, not malicious payloads. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is standard bitcoinjs-lib output script parsing; not a payload obfuscation pattern. | ai | |
| semgrep | semgrep:shady-links-tlds | AI (semgrep): rpc.gobob.xyz is the legitimate BOB chain RPC endpoint; .xyz TLD is not suspicious in this context. | ai | |
| phantom-deps | phantom-dep:vite | AI (phantom-deps): vite is used as a build tool via config files, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:isows | AI (phantom-deps): isows is a declared runtime dep used transitively; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 4.7.2 | 2 / 21 | |
| 4.1.2 | 3 / 21 | |
| 4.1.0 | 3 / 21 | |
| 4.0.0 | 4 / 20 | |
| 3.7.4 | 4 / 19 | |
| 3.7.3 | 4 / 19 | |
| 3.7.2 | 4 / 19 | |
| 3.7.1 | 4 / 20 | |
| 3.7.0 | 4 / 20 | |
| 3.6.23 | 4 / 20 |
v4.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.2
3 findingsModified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.