@metamask/browser-playground
A browser test dapp for multichain api
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:build/static/js/main.ddd1d44e.js | AI (source-diff): Bundled React app naturally contains fetch/eval patterns; not malicious for this package. | ai | |
| source-diff | obfuscated-file:build/static/js/main.ddd1d44e.js | AI (source-diff): Standard CRA/webpack production bundle; minification expected for this browser playground package. | ai | |
| source-diff | net-exec-file:build/static/js/main.5a1e472c.js | AI (source-diff): Network calls and dynamic module loading are inherent to a bundled React dapp; no dropper/loader pattern present. | ai | |
| source-diff | obfuscated-file:build/static/js/main.5a1e472c.js | AI (source-diff): Standard webpack minified build output for a MetaMask browser playground; expected artifact. | ai | |
| source-diff | obfuscated-file:build/static/js/main.31e1a1d6.js | AI (source-diff): Standard webpack-minified React app bundle; source maps included; legitimate MetaMask playground package. | ai | |
| source-diff | net-exec-file:build/static/js/main.31e1a1d6.js | AI (source-diff): Browser app bundle combining fetch/XHR with dynamic module loading is expected for a React dapp; no dropper pattern evident in samples. | ai | |
| source-diff | net-exec-file:build/static/js/main.11fdc90f.js | AI (source-diff): Browser dapp bundle legitimately contains fetch calls and dynamic module loading via webpack runtime; not dropper behavior. | ai | |
| source-diff | obfuscated-file:build/static/js/main.11fdc90f.js | AI (source-diff): Standard webpack minified main bundle from craco build; expected output for this browser playground package. | ai | |
| source-diff | obfuscated-file:build/static/js/921.58d10f34.chunk.js | AI (source-diff): Standard webpack-minified React build output for a browser dapp; not obfuscation. | ai | |
| source-diff | obfuscated-file:build/static/js/127.6f28ac63.chunk.js | AI (source-diff): Standard webpack-minified React build output for a browser dapp; not obfuscation. | ai | |
| source-diff | obfuscated-file:build/static/js/288.51cc5192.chunk.js | AI (source-diff): Standard webpack-minified React build output for a browser dapp; not obfuscation. | ai | |
| source-diff | obfuscated-file:build/static/js/main.2f01c3f9.js | AI (source-diff): Standard webpack-minified React build output for a browser dapp; not obfuscation. | ai | |
| source-diff | net-exec-file:build/static/js/main.2f01c3f9.js | AI (source-diff): Browser dapp bundle; network calls and dynamic module loading are expected in a webpack React app. | ai | |
| source-diff | net-exec-file:build/static/js/main.8cb80a7d.js | AI (source-diff): Network calls and dynamic module loading are expected in a bundled browser dapp; no dropper behavior evident. | ai | |
| source-diff | obfuscated-file:build/static/js/main.8cb80a7d.js | AI (source-diff): Standard webpack minified build output for a React dapp; not obfuscation. | ai | |
| source-diff | obfuscated-file:build/static/js/29.8d088763.chunk.js | AI (source-diff): Standard webpack minified build output for a React dapp; not obfuscation. | ai | |
| source-diff | obfuscated-file:build/static/js/main.68735b63.js | AI (source-diff): Standard CRA/craco production bundle; minified output is expected for this browser playground package. | ai | |
| source-diff | net-exec-file:build/static/js/main.68735b63.js | AI (source-diff): Network calls and dynamic module loading are normal in a bundled React dapp; no dropper behavior evident in sample. | ai | |
| source-diff | obfuscated-file:build/static/js/main.4f702492.js | AI (source-diff): Standard CRA webpack bundle for a browser playground; minification is expected, not malicious. | ai | |
| source-diff | net-exec-file:build/static/js/main.4f702492.js | AI (source-diff): React SPA bundle legitimately contains fetch calls and dynamic module loading; no dropper pattern present. | ai | |
| source-diff | obfuscated-file:build/static/js/main.8bf2a014.js | AI (source-diff): Standard CRA webpack bundle; minification is expected for this browser playground package. | ai | |
| source-diff | net-exec-file:build/static/js/main.8bf2a014.js | AI (source-diff): Network calls + dynamic module loading are normal in a bundled React dapp; no dropper indicators in sampled code. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.7.5 | 0 / 51 | |
| 0.7.4 | 0 / 51 | |
| 0.7.3 | 0 / 51 | |
| 0.7.2 | 0 / 51 | |
| 0.7.1 | 0 / 51 | |
| 0.7.0 | 0 / 51 | |
| 0.6.6 | 0 / 51 | |
| 0.6.5 | 0 / 51 | |
| 0.6.4 | 0 / 51 | |
| 0.6.3 | 0 / 51 | |
| 0.6.2 | 0 / 51 | |
| 0.6.1 | 0 / 51 | |
| 0.6.0 | 0 / 51 |
v0.7.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.4
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.6
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.