@onekeyfe/hd-web-sdk
`@onekeyfe/hd-web-sdk` is a browser implementation of hardware-sdk that creates an iframe and communicates with transport through the iframe to avoid cross-domain issues.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/js/iframe.1cc03458e5b01e63bda8.js | AI (source-diff): Webpack-bundled iframe artifact; minification is expected for this hardware wallet web SDK. | ai | |
| source-diff | net-exec-file:build/js/iframe.1cc03458e5b01e63bda8.js | AI (source-diff): Network + dynamic code patterns are standard in webpack bundles for this SDK; sample shows benign EventEmitter code. | ai | |
| source-diff | encoded-string-file:build/onekey-js-sdk.js | AI (source-diff): Long strings in minified webpack bundle; sample confirms standard EventEmitter library code, not obfuscated payload. | ai | |
| provenance | no-provenance | AI (provenance): Established OneKey SDK monorepo; provenance not used across any of its 472 published versions. | ai |
v1.1.26
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 52 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.