@metamask/multichain-transactions-controller

This package is responsible for getting transactions from our Bitcoin and Solana snaps

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

kumavismetamaskbotgudahtt

Keywords

EthereumMetaMask

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): gudahtt is a known MetaMask contributor; addition is consistent with org-level maintainer management.	ai	2026/05/02
publish-pattern	dormant-publish	AI (publish-pattern): MetaMask monorepo sub-packages can have long gaps between releases; publisher track record is clean.	ai	2026/05/02
publish-pattern	new-deps-added	AI (publish-pattern): Both new deps are first-party @metamask packages from the same monorepo; not a supply-chain risk.	ai	2026/05/02
phantom-deps	phantom-dep:uuid	AI (phantom-deps): uuid is a declared runtime dependency; phantom-dep false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@metamask/snaps-sdk	AI (phantom-deps): Same-org dependency; phantom-dep heuristic false positive for monorepo packages.	ai	2026/04/28
phantom-deps	phantom-dep:@types/uuid	AI (phantom-deps): Type-only package declared in dependencies; framework-scoped false positive.	ai	2026/04/28
phantom-deps	phantom-dep:immer	AI (phantom-deps): immer is a declared runtime dependency; phantom-dep false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@metamask/polling-controller	AI (phantom-deps): Same-org dependency; phantom-dep heuristic false positive for monorepo packages.	ai	2026/04/28
phantom-deps	phantom-dep:@metamask/keyring-internal-api	AI (phantom-deps): Same-org dependency; phantom-dep heuristic false positive for monorepo packages.	ai	2026/04/28