@cosmjs/crypto — Greenflagged

Cryptography resources for blockchain projects

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

webmaster128kiki-skip

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:elliptic	AI (dependencies): Elliptic is a standard ECDSA library; appropriate for crypto package and widely used in blockchain projects.	ai	2026/04/23
phantom-deps	phantom-dep:@cosmjs/utils	AI (phantom-deps): Same-org scoped dependency (@cosmjs/utils) declared in package.json; phantom flag is a false positive for this monorepo package structure.	ai	2026/04/23
source-diff	encoded-string-file:build/hmac.spec.js	AI (source-diff): Long hex strings are RFC 4231 HMAC test vectors — standard cryptographic test data, not obfuscated payloads.	ai	2026/04/23
source-diff	encoded-string-file:build/libsodium.spec.js	AI (source-diff): Long hex strings are Argon2/libsodium test vectors — standard cryptographic test data, not obfuscated payloads.	ai	2026/04/23
source-diff	encoded-string-file:build/secp256k1.spec.js	AI (source-diff): Long hex strings are secp256k1 signature verification test vectors — standard cryptographic test data, not obfuscated payloads.	ai	2026/04/23
dependencies	unvetted-dep:hash-wasm	AI (dependencies): hash-wasm is a legitimate WebAssembly hashing library; its use in a cryptography package is expected and appropriate across all versions.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Minor metadata signals (README format, keywords) do not reflect actual code quality or security risk for established library.	ai	2026/04/22
typosquat	typosquat.levenshtein:bcrypt	AI (typosquat): @cosmjs/crypto is a scoped package from the established CosmWasm org; no impersonation intent. False positive for legitimate namespace.	ai	2026/04/21
dependencies	unvetted-dep:@cosmjs/encoding	AI (dependencies): Sibling package in the same CosmJS monorepo; legitimate dependency, not suspicious.	ai	2026/04/21

Versions (showing 40 of 40)

Show 4 prereleases

Version	Deps	Published
0.38.1	8 / 22	2025-12-31
0.38.0	8 / 22	2025-12-30
0.37.1	8 / 22	2025-12-31
0.37.0	8 / 22	2025-10-29
0.36.2	7 / 24	2025-10-24
0.36.1	7 / 24	2025-10-02
0.36.0	7 / 24	2025-08-14
0.35.2	6 / 24	2025-10-29
0.35.1	6 / 24	2025-10-22
0.35.0	6 / 24	2025-08-13
0.34.1	7 / 27	2025-10-22
0.34.0	7 / 27	2025-07-11
0.33.1	7 / 37	2025-03-13
0.33.0	7 / 37	2025-01-15
0.32.1	7 / 37	2023-12-04
0.31.1	7 / 37	2023-08-21
0.31.0	7 / 37	2023-06-22
0.30.1	7 / 37	2023-03-22
0.29.4	7 / 37	2022-11-15
0.29.0	7 / 37	2022-09-15
0.28.13	7 / 37	2022-08-18
0.28.9	7 / 37	2022-06-21
0.28.5	7 / 37	2022-06-08
0.28.3	7 / 38	2022-04-11
0.28.0	7 / 38	2022-03-17
0.26.5	10 / 41	2021-11-20
0.26.4	10 / 41	2021-10-28
0.26.3	10 / 41	2021-10-25
0.26.2	10 / 41	2021-10-12
0.26.1	10 / 41	2021-09-30
0.25.4	10 / 5	2021-05-31
0.25.3	10 / 5	2021-05-18
0.25.2	12 / 7	2021-05-11
0.25.0	12 / 7	2021-05-05
0.24.1	12 / 7	2021-03-12
0.24.0	12 / 7	2021-03-11
0.23.2	13 / 7	2021-01-06
0.21.1	13 / 7	2020-07-01
0.21.0	13 / 7	2020-06-28
0.20.1	13 / 7	2020-06-30