bcrypto — Greenflagged

JS crypto library

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

chjj

Keywords

ciphercryptocryptographycurvedigestececcelliptichashhashing

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:bufio	AI (dependencies): bufio is a bcoin-org package published by the same author (chjj) as bcrypto; it is a trusted sibling dependency within the same ecosystem.	ai	2026/04/24
phantom-deps	phantom-dep:nan	AI (phantom-deps): nan is used by node-gyp for native addon compatibility; it is referenced in build config files as expected for a native C++ addon package.	ai	2026/04/24
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is a core utility in a cryptography library; no malicious payload hiding, just standard encoding operations.	ai	2026/04/24
typosquat	typosquat.levenshtein:bcryptjs	AI (typosquat): bcrypto is a distinct, well-established crypto library in the bcoin-org ecosystem, not a typosquat of bcryptjs.	ai	2026/04/23
typosquat	typosquat.levenshtein:bcrypt	AI (typosquat): bcrypto is a distinct, well-established crypto library in the bcoin-org ecosystem, not a typosquat of bcrypt.	ai	2026/04/23
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding is expected and legitimate in a cryptography library handling PEM/encoding formats; not indicative of malicious payloads.	ai	2026/04/23
install-scripts	install-script:install	AI (install-scripts): bcrypto is a native crypto addon; node-gyp rebuild is the standard and expected install script for building C bindings.	ai	2026/04/23