@everymatrix/casino-challenge-card
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-61155403.js | AI (source-diff): Standard ESM bundle output for this package. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-f83271c7.js | AI (source-diff): Standard CJS bundle output for this package. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-61155403.js | AI (source-diff): Standard minified Stencil.js component build output for this package. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-3167d1a2.js | AI (source-diff): Standard Stencil/Rollup minified bundle output; consistent with all prior versions of this package. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-379a42fc.js | AI (source-diff): Standard Stencil/Rollup minified CJS bundle; consistent with all prior versions of this package. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-3167d1a2.js | AI (source-diff): Standard Stencil/Rollup minified ESM bundle; consistent with all prior versions of this package. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-125248e1.js | AI (source-diff): Standard Stencil.js minified build output; content is readable UI component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-bb11db1d.js | AI (source-diff): Standard Stencil.js minified build output; content is readable UI component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-bb11db1d.js | AI (source-diff): Standard Stencil.js minified build output; content is readable UI component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-6ba6ac71.js | AI (source-diff): Standard Stencil.js minified build output; content is readable UI component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-aa5eff33.js | AI (source-diff): Standard Stencil.js CJS build output; readable i18n and component logic, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-6ba6ac71.js | AI (source-diff): Standard Stencil.js ESM build output; readable i18n and component logic, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-4336e15a.js | AI (source-diff): Standard Stencil.js minified build output; content is readable UI component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/index-3c031981.js | AI (source-diff): Stencil.js runtime bundle; minified but contains no encoded payloads or suspicious network calls. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-ac7bf9ad.js | AI (source-diff): Standard Stencil.js CJS build output; same pattern as other EveryMatrix widget packages. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-4336e15a.js | AI (source-diff): Standard Stencil.js ESM build output; same pattern as other EveryMatrix widget packages. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-69691c81.js | AI (source-diff): Standard Stencil.js minified bundle output; content is readable i18n/component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-a61ede26.js | AI (source-diff): Standard Stencil.js minified bundle output; content is readable i18n/component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-a61ede26.js | AI (source-diff): Standard Stencil.js minified bundle output; content is readable i18n/component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-a948bc14.js | AI (source-diff): CJS build chunk; same pattern as ESM, consistent with this package's established build pipeline. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-36a14c60.js | AI (source-diff): Standard minified Stencil build output; content-addressable chunk filename is normal for this package's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-36a14c60.js | AI (source-diff): ESM build chunk; readable source content confirms legitimate minified output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-47ec7af7.js | AI (source-diff): Standard Stencil/Rollup minified build output; content is readable UI component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-47ec7af7.js | AI (source-diff): Standard Stencil/Rollup minified build output; content is readable UI component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-6c7fa4d3.js | AI (source-diff): Standard Stencil/Rollup minified build output; content is readable UI component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-d6838ed6.js | AI (source-diff): Standard Stencil/Rollup minified build output; content is readable i18n/component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-5a587a11.js | AI (source-diff): Standard Stencil/Rollup minified build output; content is readable i18n/component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-5a587a11.js | AI (source-diff): Standard Stencil/Rollup minified build output; content is readable i18n/component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-b05739bf.js | AI (source-diff): Standard minified Stencil/Rollup ESM bundle; content is readable UI component code. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-e34664ed.js | AI (source-diff): Standard minified Stencil/Rollup CJS bundle; content is readable UI component code. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-b05739bf.js | AI (source-diff): Standard minified Stencil/Rollup bundle; content is readable UI component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-7802ca06.js | AI (source-diff): Standard Rollup/Stencil minified build output; samples show plain i18n strings, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-c79647e9.js | AI (source-diff): Standard CJS minified build output; content is readable UI component code. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-7802ca06.js | AI (source-diff): Standard ESM minified build output; content is readable UI component code. | ai | |
| source-diff | obfuscated-file:dist/esm/casino-challenge-card-5bf88f60.js | AI (source-diff): ESM build artifact; same readable component logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/cjs/casino-challenge-card-aa9771ee.js | AI (source-diff): CJS build artifact; same readable component logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/casino-challenge-card/casino-challenge-card-5bf88f60.js | AI (source-diff): Standard Rollup/Stencil minified bundle; content is readable UI component code, not malicious obfuscation. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Consistent with @everymatrix component library publishing pattern; not a spam/malware indicator here. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Corporate scoped UI component package with 250 versions; sparse metadata is a consistent pattern across the @everymatrix namespace. | ai |
Versions (showing 18 of 118)
| Version | Deps | Published |
|---|---|---|
| 1.85.2 | 0 / 0 | |
| 1.85.1 | 0 / 0 | |
| 1.83.10 | 0 / 0 | |
| 1.83.9 | 0 / 0 | |
| 1.83.8 | 0 / 0 | |
| 1.83.7 | 0 / 0 | |
| 1.83.6 | 0 / 0 | |
| 1.83.5 | 0 / 0 | |
| 1.83.4 | 0 / 0 | |
| 1.83.2 | 0 / 0 | |
| 1.83.0 | 0 / 0 | |
| 1.77.21 | 0 / 0 | |
| 1.77.19 | 0 / 0 | |
| 1.77.18 | 0 / 0 | |
| 1.77.17 | 0 / 0 | |
| 1.77.5 | 0 / 0 | |
| 1.77.4 | 0 / 0 | |
| 1.77.3 | 0 / 0 |
v1.85.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.85.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.83.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.83.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.21
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.19
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.18
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.17
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.