← Home

@unisat/wallet-background

npm

Complete wallet background logic for UniSat wallet, cross-platform compatible

3
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

huanniangstudio

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff encoded-string-file:lib/index.js AI (source-diff): Long hex strings are dummy Bitcoin script witnesses (all zeros), not encoded payloads. ai
source-diff encoded-string-file:lib/index.mjs AI (source-diff): Same dummy script witness hex constants in ESM build; benign by inspection. ai
semgrep semgrep:hex-decode AI (semgrep): All hex-decode hits are Bitcoin script constants (PSBT witness data, script templates) — standard in a Bitcoin wallet library. ai
phantom-deps phantom-dep:lodash-es AI (phantom-deps): Listed as runtime dep; may be used in ESM build output not directly traceable by static import analysis. ai
phantom-deps phantom-dep:randomstring AI (phantom-deps): Listed as runtime dep; phantom-dep heuristic may miss indirect or dynamic usage in bundled output. ai
phantom-deps phantom-dep:compare-versions AI (phantom-deps): Listed as runtime dep; phantom-dep heuristic may miss usage in bundled output. ai

Versions (showing 3 of 3)

Version Deps Published
3.0.1 11 / 6
3.0.0 11 / 6
2.0.0 11 / 6

v3.0.1

3 findings
HIGH Long encoded string in modified file: lib/index.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: lib/index.mjs source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

3 findings
HIGH Long encoded string in modified file: lib/index.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: lib/index.mjs source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.