starknetkit
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/Modal-e63a001a.js | AI (source-diff): Standard Vite minified ESM build output for UI modal. | ai | |
| source-diff | obfuscated-file:dist/secp256k1-0517cc19.cjs | AI (source-diff): Standard minified crypto library output; expected in wallet toolkit. | ai | |
| source-diff | net-exec-file:dist/index-4f7b26a7.js | AI (source-diff): Network calls to known Starknet RPC endpoints; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-40f0fb49.js | AI (source-diff): Standard Vite minified ESM build output. | ai | |
| source-diff | net-exec-file:dist/core-40df00f1.cjs | AI (source-diff): Module federation runtime legitimately fetches remote modules; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-d4ee51c3.cjs | AI (source-diff): Standard Vite minified build output; contains recognizable RPC endpoint strings. | ai | |
| source-diff | net-exec-file:dist/index-d4ee51c3.cjs | AI (source-diff): Network calls are to known Starknet RPC endpoints; dynamic code is module loading. | ai | |
| source-diff | obfuscated-file:dist/Modal-3e8c8892.cjs | AI (source-diff): Standard Vite minified build output for UI modal component. | ai | |
| source-diff | obfuscated-file:dist/index-03ccf5ea.js | AI (source-diff): Standard Vite minified ESM build output. | ai | |
| source-diff | net-exec-file:dist/core-7c9d487b.js | AI (source-diff): Module federation runtime; same pattern as CJS counterpart. | ai | |
| source-diff | obfuscated-file:dist/core-7c9d487b.js | AI (source-diff): Standard Vite minified ESM build output. | ai | |
| source-diff | obfuscated-file:dist/index-99f90fd4.cjs | AI (source-diff): Standard Vite minified build output. | ai | |
| source-diff | obfuscated-file:dist/index-3ed0d8c7.cjs | AI (source-diff): Standard Vite minified build output for wallet connector. | ai | |
| source-diff | obfuscated-file:dist/core-40df00f1.cjs | AI (source-diff): Standard Vite minified build output; Federation Runtime module federation code. | ai | |
| source-diff | obfuscated-file:dist/index-3aafd5f8.cjs | AI (source-diff): Standard minified bundle output for starknetkit. | ai | |
| source-diff | obfuscated-file:dist/index-e1385de3.cjs | AI (source-diff): Minified bundle; network calls are known Starknet RPC endpoints (chainstack, lava.build). | ai | |
| source-diff | net-exec-file:dist/index-e1385de3.cjs | AI (source-diff): RPC endpoint selection and WalletConnect cleanup; no dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/Modal-abb441e5.cjs | AI (source-diff): Minified UI modal bundle; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/secp256k1-b4bd93eb.cjs | AI (source-diff): Crypto primitive bundle; expected in a wallet connection library. | ai | |
| source-diff | net-exec-file:dist/index-149dde8d.js | AI (source-diff): ESM bundle with RPC calls; consistent with wallet kit functionality. | ai | |
| source-diff | obfuscated-file:dist/index-cc03debb.js | AI (source-diff): Minified ESM bundle; standard build output. | ai | |
| source-diff | obfuscated-file:dist/Modal-a26f22e6.js | AI (source-diff): Minified UI modal ESM bundle; expected build artifact. | ai | |
| source-diff | net-exec-file:dist/index-6407db28.js | AI (source-diff): Network calls are public Starknet RPC endpoints; expected for wallet connector. | ai | |
| source-diff | obfuscated-file:dist/connector-e4ffe813.cjs | AI (source-diff): Standard Vite/Rollup minified output for wallet connector library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/controllerConnector.cjs | AI (source-diff): Standard Vite/Rollup minified output; cartridge controller connector code. | ai | |
| source-diff | obfuscated-file:dist/core-3c086619.cjs | AI (source-diff): Standard Vite/Rollup minified output; federation runtime and wallet core logic. | ai | |
| source-diff | net-exec-file:dist/core-3c086619.cjs | AI (source-diff): Network calls are RPC endpoints; dynamic exec is module federation loader — expected for this package. | ai | |
| source-diff | obfuscated-file:dist/index-6fedcd48.cjs | AI (source-diff): Standard minified bundle; WalletConnect/argentX connector logic visible in sample. | ai | |
| source-diff | net-exec-file:dist/index-6fedcd48.cjs | AI (source-diff): Network calls are public Starknet RPC endpoints; dynamic exec is module loader pattern. | ai | |
| source-diff | obfuscated-file:dist/index-d7210027.cjs | AI (source-diff): Standard minified bundle; SVG/connector code visible in sample. | ai | |
| source-diff | obfuscated-file:dist/index-ece0eba5.cjs | AI (source-diff): Standard minified bundle; EventEmitter and connector imports visible in sample. | ai | |
| source-diff | obfuscated-file:dist/Modal-6676c90a.cjs | AI (source-diff): Standard minified UI bundle for wallet modal. | ai | |
| source-diff | obfuscated-file:dist/secp256k1-9207c9e8.cjs | AI (source-diff): Standard minified crypto library bundle; expected for Starknet wallet kit. | ai | |
| source-diff | obfuscated-file:dist/trpc-a7fa79b1.cjs | AI (source-diff): Standard minified tRPC bundle; declared as dependency. | ai | |
| source-diff | obfuscated-file:dist/controllerConnector.js | AI (source-diff): ESM counterpart of the CJS bundle; same rationale. | ai | |
| source-diff | obfuscated-file:dist/core-44275fb6.js | AI (source-diff): ESM counterpart of the CJS bundle; same rationale. | ai | |
| source-diff | net-exec-file:dist/core-44275fb6.js | AI (source-diff): Same as CJS counterpart; module federation loader pattern. | ai | |
| source-diff | obfuscated-file:dist/index-40b7c32e.js | AI (source-diff): Standard minified ESM bundle. | ai | |
| source-diff | obfuscated-file:dist/index-6b0f510b.js | AI (source-diff): Standard minified ESM bundle. | ai | |
| source-diff | obfuscated-file:dist/Modal-9e67a367.js | AI (source-diff): Standard minified UI bundle for wallet modal. | ai | |
| phantom-deps | phantom-dep:@argent/x-ui | AI (phantom-deps): Declared runtime dep; bundled into dist connectors. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Declared runtime dep for UI components; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:trpc-browser | AI (phantom-deps): trpc-browser is a declared runtime dep; same bundled-library false-positive pattern. | ai | |
| phantom-deps | phantom-dep:svelte-forms | AI (phantom-deps): svelte-forms is a declared runtime dep; phantom-dep fires due to bundling, not a real phantom. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): lodash-es is a declared runtime dep; same bundled-library false-positive pattern. | ai | |
| phantom-deps | phantom-dep:detect-browser | AI (phantom-deps): detect-browser is a declared runtime dep; same bundled-library false-positive pattern. | ai | |
| phantom-deps | phantom-dep:bowser | AI (phantom-deps): bowser is a declared runtime dep; phantom-dep heuristic fires because it's bundled, not directly imported in analyzed entry points. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 3.4.1 | 17 / 43 | |
| 3.4.0 | 17 / 43 | |
| 3.3.0 | 17 / 43 | |
| 3.2.0 | 17 / 43 | |
| 3.1.2 | 17 / 43 | |
| 3.1.1 | 17 / 43 | |
| 3.1.0 | 17 / 43 | |
| 2.10.4 | 13 / 35 |
v3.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.0
19 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
19 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
19 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
19 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
19 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.