@reown/appkit-cdn — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

cyberdrkreown-npm-org

Keywords

appkitwalletonboardingreowndappsweb3wagmiethereumsolanabitcoin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/appkit-68jVDX5p.js	AI (source-diff): Vite-bundled CDN output; readable code with known WalletConnect/Reown patterns, not malicious obfuscation.	ai	2026/05/22
source-diff	obfuscated-file:dist/copy-v1d3UGcR.js	AI (source-diff): Vite-bundled CDN output; SVG/UI component code, not malicious obfuscation.	ai	2026/05/22
source-diff	obfuscated-file:dist/core-B634ibr6.js	AI (source-diff): Vite-bundled CDN output; WalletConnect core constants and imports, not malicious obfuscation.	ai	2026/05/22
phantom-deps	phantom-dep:@wagmi/core	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@reown/appkit	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@wagmi/connectors	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@reown/appkit-polyfills	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:viem	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@reown/appkit-adapter-ethers	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@reown/appkit-adapter-solana	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@reown/appkit-adapter-ethers5	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@reown/appkit-adapter-wagmi	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:vite	AI (phantom-deps): Build tool referenced in config; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:wagmi	AI (phantom-deps): Build-time dependency for CDN bundle; stable pattern for this package.	ai	2026/05/04

Versions (showing 2 of 2)

Version	Deps	Published
1.8.20	11 / 2	2026-05-20
1.8.19	11 / 2	2026-03-04

v1.8.20

4 findings

HIGH New obfuscated file: dist/appkit-68jVDX5p.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/copy-v1d3UGcR.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/core-B634ibr6.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.8.19

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.