@everymatrix/lottery-program-wof
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:components/LotteryProgramWof-DBtkhZr_.js | AI (source-diff): Standard Rollup/Vite minified bundle output; samples show Svelte/Stencil runtime, not malicious code. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BifuP5SW.js | AI (source-diff): Standard Rollup/Vite minified bundle output; samples show Svelte/Stencil runtime, not malicious code. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DHFTDgpP.cjs | AI (source-diff): Standard Rollup/Vite minified bundle output; samples show Svelte/Stencil runtime, not malicious code. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-Dt4wo6GZ.cjs | AI (source-diff): Minified Stencil/Svelte component bundle; hashed filename is standard build output for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DweRKyQN.js | AI (source-diff): Minified Stencil/Svelte component bundle; hashed filename is standard build output for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-B6XBWCdZ.js | AI (source-diff): Minified Stencil/Svelte component bundle; hashed filename is standard build output for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BGsHE60v.js | AI (source-diff): Standard Rollup/Vite minified build output with hashed filename; Svelte runtime internals visible in sample. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-skWXLkMx.js | AI (source-diff): Standard Rollup/Vite minified build output with hashed filename; Svelte runtime internals visible in sample. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-Cu9krGSf.cjs | AI (source-diff): Standard Rollup/Vite minified build output with hashed filename; Svelte runtime internals visible in sample. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-CmlsU1Jv.cjs | AI (source-diff): Standard Svelte/Stencil CJS bundle; minified output is expected for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-qLqNINss.js | AI (source-diff): Standard ESM build artifact; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-c7x98OFe.js | AI (source-diff): Standard ESM build artifact; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-2nvxOV2Q.js | AI (source-diff): Standard minified Stencil/Svelte build artifact; hashed filename pattern is normal for this package family. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-CZxURjAo.js | AI (source-diff): Standard minified Stencil/Svelte build artifact; hashed filename pattern is normal for this package family. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BgdI85HW.cjs | AI (source-diff): Standard minified Stencil/Svelte build artifact; hashed filename pattern is normal for this package family. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DsFj_J_8.cjs | AI (source-diff): Minified CJS component bundle; standard build artifact. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DyjE56ed.js | AI (source-diff): ESM component bundle; standard build artifact. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-D6bipFrB.js | AI (source-diff): ESM component bundle; standard build artifact. | ai | |
| source-diff | obfuscated-file:stencil/ui-skeleton-ae35c6f2-xLf3HyeB.cjs | AI (source-diff): Stencil skeleton component CSS+JS bundle; standard build output. | ai | |
| source-diff | obfuscated-file:stencil/index-b2193545-YW9b062G.cjs | AI (source-diff): Stencil framework minified build output; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BtlXlyt9.cjs | AI (source-diff): Standard minified Stencil/Svelte bundle output; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-1vQRuLGK.js | AI (source-diff): Standard minified Stencil/Svelte bundle output; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-duiuW3BM.js | AI (source-diff): Standard minified Stencil/Svelte bundle output; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:stencil/index-b2193545-D-u-gzj3.cjs | AI (source-diff): Stencil runtime build artifact; minified by design across all versions of this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BdYPGLGT.js | AI (source-diff): ESM build artifact for Svelte/Stencil component; minified by design. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BONPZQgy.js | AI (source-diff): ESM build artifact; recognizable Svelte runtime patterns, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:stencil/ui-skeleton-ae35c6f2-CXlvqczG.cjs | AI (source-diff): Stencil ui-skeleton component bundle; standard minified build artifact. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DN7e4orJ.cjs | AI (source-diff): Svelte/Stencil component bundle; minified build output, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-Bl-3ZtHY.cjs | AI (source-diff): Standard minified CJS build output from Svelte/Vite; stable for this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Scoped org package; missing description is consistent across versions. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-D2QbOn5M.js | AI (source-diff): Standard ESM build output from Svelte/Vite; stable for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BZL76QEb.js | AI (source-diff): Standard ESM build output from Svelte/Vite; stable for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DP6wegF4.js | AI (source-diff): Standard minified Svelte/Stencil component build output; stable for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-ccUqL05t.js | AI (source-diff): Standard minified Svelte/Stencil component build output; stable for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BuX4sJq7.cjs | AI (source-diff): Standard minified Svelte/Stencil component build output; stable for this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BI9kJXC6.js | AI (source-diff): Standard Svelte/Vite minified build output; hashed filename is a bundler artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DDCnyVNP.js | AI (source-diff): Standard Svelte/Vite minified build output; hashed filename is a bundler artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DDtLQ0iL.cjs | AI (source-diff): Standard Svelte/Vite minified build output; hashed filename is a bundler artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BLaFnIH2.js | AI (source-diff): Standard minified Stencil/Svelte bundle output; consistent pattern across all versions of this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-Del3QN2Q.js | AI (source-diff): Standard minified Stencil/Svelte bundle output; consistent pattern across all versions of this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-BVWJH356.cjs | AI (source-diff): Standard minified Stencil/Svelte bundle output; consistent pattern across all versions of this package. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-Baccieep.cjs | AI (source-diff): Minified Stencil/Svelte build artifact; consistent with this package's established pattern of bundled UI components. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-C5wYZ6-6.js | AI (source-diff): Minified Stencil/Svelte build artifact; consistent with this package's established pattern of bundled UI components. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped internal UI component package; no repo/deps/keywords is structural, not a spam indicator. | ai | |
| source-diff | obfuscated-file:components/LotteryProgramWof-DQLRMnSO.js | AI (source-diff): Minified Stencil/Svelte build artifact; consistent with this package's established pattern of bundled UI components. | ai |
Versions (showing 24 of 129)
| Version | Deps | Published |
|---|---|---|
| 1.85.0 | 0 / 0 | |
| 1.84.3 | 0 / 0 | |
| 1.84.2 | 0 / 0 | |
| 1.84.1 | 0 / 0 | |
| 1.84.0 | 0 / 0 | |
| 1.83.12 | 0 / 0 | |
| 1.83.11 | 0 / 0 | |
| 1.83.10 | 0 / 0 | |
| 1.83.9 | 0 / 0 | |
| 1.83.8 | 0 / 0 | |
| 1.83.7 | 0 / 0 | |
| 1.83.6 | 0 / 0 | |
| 1.83.5 | 0 / 0 | |
| 1.83.4 | 0 / 0 | |
| 1.76.3 | 0 / 0 | |
| 1.74.10 | 0 / 0 | |
| 1.74.3 | 0 / 0 | |
| 1.68.0 | 0 / 0 | |
| 1.67.3 | 0 / 0 | |
| 1.67.0 | 0 / 0 | |
| 1.66.2 | 0 / 0 | |
| 1.66.1 | 0 / 0 | |
| 1.66.0 | 0 / 0 | |
| 1.65.3 | 0 / 0 |
v1.85.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.84.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.84.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.84.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.84.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.12
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.11
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.83.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.83.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.83.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.83.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.76.3
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.74.10
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.74.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.68.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.67.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.67.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.66.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.66.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.66.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.65.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.