@x402/paywall
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/cjs/avm/index.cjs | AI (source-diff): Bundled blockchain SDK code; network calls + dynamic patterns are from wallet/chain libs. | ai | |
| source-diff | obfuscated-file:dist/esm/avm/index.js | AI (source-diff): Standard esbuild ESM bundle output with inlined HTML templates; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cjs/avm/index.cjs | AI (source-diff): Standard esbuild CJS bundle output with inlined HTML templates; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/esm/avm/index.js | AI (source-diff): Bundled blockchain SDK code; network calls + dynamic patterns are from wallet/chain libs. | ai | |
| source-diff | net-exec-file:dist/cjs/evm/index.cjs | AI (source-diff): Wallet/blockchain SDK bundle naturally contains network calls; no malicious exec patterns. | ai | |
| source-diff | obfuscated-file:dist/esm/svm/index.js | AI (source-diff): tsup/esbuild bundle output; long lines are inlined HTML/CSS templates. | ai | |
| source-diff | obfuscated-file:dist/esm/index.js | AI (source-diff): tsup/esbuild bundle output; long lines are inlined HTML/CSS templates. | ai | |
| source-diff | obfuscated-file:dist/esm/evm/index.js | AI (source-diff): tsup/esbuild bundle output; long lines are inlined HTML/CSS templates. | ai | |
| source-diff | obfuscated-file:dist/cjs/svm/index.cjs | AI (source-diff): tsup/esbuild bundle output; long lines are inlined HTML/CSS templates. | ai | |
| source-diff | obfuscated-file:dist/cjs/evm/index.cjs | AI (source-diff): tsup/esbuild bundle output with readable boilerplate and inlined HTML templates, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cjs/index.cjs | AI (source-diff): tsup/esbuild bundle output; long lines are inlined HTML/CSS templates. | ai | |
| source-diff | net-exec-file:dist/esm/index.js | AI (source-diff): Wallet/blockchain SDK bundle naturally contains network calls; no malicious exec patterns. | ai | |
| source-diff | net-exec-file:dist/esm/evm/index.js | AI (source-diff): Wallet/blockchain SDK bundle naturally contains network calls; no malicious exec patterns. | ai | |
| source-diff | net-exec-file:dist/cjs/index.cjs | AI (source-diff): Wallet/blockchain SDK bundle naturally contains network calls; no malicious exec patterns. | ai | |
| source-diff | encoded-string-file:dist/esm/index.js | AI (source-diff): Long strings are inlined HTML/CSS paywall templates, not obfuscated payloads — stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/cjs/avm/index.cjs | AI (source-diff): Long strings are inlined HTML/CSS paywall templates, not obfuscated payloads — stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/cjs/evm/index.cjs | AI (source-diff): Long strings are inlined HTML/CSS paywall templates, not obfuscated payloads — stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/cjs/index.cjs | AI (source-diff): Long strings are inlined HTML/CSS paywall templates, not obfuscated payloads — stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/cjs/svm/index.cjs | AI (source-diff): Long strings are inlined HTML/CSS paywall templates, not obfuscated payloads — stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/esm/avm/index.js | AI (source-diff): Long strings are inlined HTML/CSS paywall templates, not obfuscated payloads — stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/esm/evm/index.js | AI (source-diff): Long strings are inlined HTML/CSS paywall templates, not obfuscated payloads — stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/esm/svm/index.js | AI (source-diff): Long strings are inlined HTML/CSS paywall templates, not obfuscated payloads — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:viem | AI (phantom-deps): Peer/optional wallet dep pattern; stable false positive for this paywall UI package. | ai | |
| phantom-deps | phantom-dep:@solana/wallet-standard-features | AI (phantom-deps): Peer/optional wallet dep pattern; stable false positive for this paywall UI package. | ai | |
| phantom-deps | phantom-dep:@algorandfoundation/algokit-utils | AI (phantom-deps): Peer/optional wallet dep pattern; stable false positive for this paywall UI package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Early-stage Coinbase SDK stub; tiny payload and sparse metadata are expected for v0.0.1 placeholder in the x402 protocol suite. | ai | |
| phantom-deps | phantom-dep:@perawallet/connect | AI (phantom-deps): Algorand Pera wallet connector; expected for AVM paywall support. | ai | |
| phantom-deps | phantom-dep:@txnlab/use-wallet | AI (phantom-deps): Algorand wallet integration dep; expected for AVM paywall support. | ai | |
| phantom-deps | phantom-dep:@wagmi/connectors | AI (phantom-deps): EVM wallet connector dep; expected for paywall UI. | ai | |
| phantom-deps | phantom-dep:lute-connect | AI (phantom-deps): Algorand wallet connector; expected for AVM paywall support. | ai | |
| phantom-deps | phantom-dep:@wagmi/core | AI (phantom-deps): EVM wallet integration dep; expected for paywall UI. | ai | |
| phantom-deps | phantom-dep:@solana/kit | AI (phantom-deps): Solana integration dep; expected for SVM paywall support. | ai | |
| phantom-deps | phantom-dep:@scure/base | AI (phantom-deps): Crypto utility dep; legitimately declared for multi-chain paywall. | ai | |
| phantom-deps | phantom-dep:@x402/core | AI (phantom-deps): Same-org sibling package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Legitimately declared runtime dep for a multi-chain paywall UI; referenced in build/config files. | ai | |
| phantom-deps | phantom-dep:wagmi | AI (phantom-deps): EVM wallet integration dep; expected for paywall UI supporting multiple chains. | ai | |
| phantom-deps | phantom-dep:@wallet-standard/features | AI (phantom-deps): Wallet standard dep; expected for multi-chain paywall. | ai | |
| phantom-deps | phantom-dep:@solana-program/token-2022 | AI (phantom-deps): Solana token-2022 program dep; expected for SVM paywall support. | ai | |
| phantom-deps | phantom-dep:@walletconnect/sign-client | AI (phantom-deps): WalletConnect integration dep; expected for multi-chain paywall. | ai | |
| phantom-deps | phantom-dep:@solana-program/compute-budget | AI (phantom-deps): Solana compute budget dep; expected for SVM paywall support. | ai | |
| phantom-deps | phantom-dep:@solana/transaction-confirmation | AI (phantom-deps): Solana transaction dep; expected for SVM paywall support. | ai | |
| phantom-deps | phantom-dep:@blockshake/defly-connect | AI (phantom-deps): Algorand Defly wallet connector; expected for AVM paywall support. | ai | |
| phantom-deps | phantom-dep:@wallet-standard/base | AI (phantom-deps): Wallet standard dep; expected for multi-chain paywall. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): React data-fetching dep; expected for paywall UI. | ai | |
| phantom-deps | phantom-dep:@wallet-standard/app | AI (phantom-deps): Wallet standard dep; expected for multi-chain paywall. | ai | |
| phantom-deps | phantom-dep:@solana-program/token | AI (phantom-deps): Solana token program dep; expected for SVM paywall support. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 2.14.0 | 22 / 25 | |
| 2.13.0 | 22 / 25 | |
| 2.12.0 | 22 / 25 | |
| 2.11.0 | 23 / 25 | |
| 2.10.0 | 23 / 25 | |
| 2.9.0 | 17 / 24 | |
| 0.0.1 | 0 / 0 |
v2.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.13.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.12.0
10 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 13 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 23 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 13 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 23 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 5 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.0
17 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.0
13 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.