@polkadot/util-crypto — Greenflagged

A collection of useful crypto utilities for @polkadot

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jacogrpolkadotjsparitytech-ci

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:cjs/mnemonic/wordlists/en.js	AI (source-diff): BIP-39 English wordlist stored as a pipe-delimited string — standard format for mnemonic word lists, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:cjs/mnemonic/wordlists/es.js	AI (source-diff): BIP-39 Spanish wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:mnemonic/wordlists/en.js	AI (source-diff): BIP-39 English wordlist stored as a pipe-delimited string — standard format for mnemonic word lists, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:mnemonic/wordlists/zh-t.js	AI (source-diff): BIP-39 Traditional Chinese wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:cjs/mnemonic/wordlists/zh-t.js	AI (source-diff): BIP-39 Traditional Chinese wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:mnemonic/wordlists/zh-s.js	AI (source-diff): BIP-39 Simplified Chinese wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:cjs/mnemonic/wordlists/zh-s.js	AI (source-diff): BIP-39 Simplified Chinese wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:mnemonic/wordlists/ko.js	AI (source-diff): BIP-39 Korean wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:cjs/mnemonic/wordlists/ko.js	AI (source-diff): BIP-39 Korean wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:mnemonic/wordlists/jp.js	AI (source-diff): BIP-39 Japanese wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:cjs/mnemonic/wordlists/jp.js	AI (source-diff): BIP-39 Japanese wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:mnemonic/wordlists/it.js	AI (source-diff): BIP-39 Italian wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:cjs/mnemonic/wordlists/it.js	AI (source-diff): BIP-39 Italian wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:mnemonic/wordlists/fr.js	AI (source-diff): BIP-39 French wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:cjs/mnemonic/wordlists/fr.js	AI (source-diff): BIP-39 French wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	obfuscated-file:mnemonic/wordlists/es.js	AI (source-diff): BIP-39 Spanish wordlist stored as a pipe-delimited string — standard format, not obfuscated code.	ai	2026/04/24
source-diff	source-size-dropped	AI (source-diff): Significant source reduction in mature crypto utility library likely reflects legitimate refactoring/cleanup, not code replacement. Consistent with established publisher's track record.	ai	2026/04/24
source-diff	obfuscated-file:cjs/mnemonic/bip39-en.js	AI (source-diff): The 'obfuscated' file is the BIP39 English wordlist stored as a pipe-delimited string — a standard data file, not obfuscated code. Long line is 2048 mnemonic words concatenated.	ai	2026/04/24
dependencies	unvetted-dep:@types/pbkdf2	AI (dependencies): @types/pbkdf2 is a standard TypeScript type definition package for the pbkdf2 library. Low risk for this well-established crypto utility package.	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/schnorrkel-js	AI (dependencies): @polkadot/schnorrkel-js is the official Schnorr/sr25519 WASM binding from the same Polkadot JS organization; entirely expected in this crypto utility package.	ai	2026/04/24
dependencies	unvetted-dep:@types/secp256k1	AI (dependencies): @types/secp256k1 is a DefinitelyTyped TypeScript type definition package for the secp256k1 library — a legitimate and expected dependency for a crypto utility package.	ai	2026/04/24
phantom-deps	phantom-dep:@noble/hashes	AI (phantom-deps): @noble/hashes is vendored/bundled under ./noble-hashes/lib/ in the package exports map; not imported via node_modules path. Phantom-dep detection is a false positive for this bundling pattern.	ai	2026/04/24
source-diff	obfuscated-file:noble-hashes/lib/sha512.cjs	AI (source-diff): File is Babel-transpiled CJS output of the @noble/hashes library (MIT, paulmillr.com). Long lines are due to transpiler helpers and inline SHA-512 constants, not obfuscation. Stable false positive for this package.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): 150 new files are the vendored @noble/hashes library replacing multiple older hash dependencies. Deliberate consolidation by a trusted publisher, not injected code.	ai	2026/04/24
publish-pattern	dormant-publish	AI (publish-pattern): polkadotjs publisher has 4079 approved/0 rejected packages; dormancy followed by legitimate coordinated ecosystem release is expected for this well-established package.	ai	2026/04/24
dependencies	unvetted-dep:elliptic	AI (dependencies): elliptic is a well-known JS elliptic curve library; its use in a crypto utility package for secp256k1 operations is expected and legitimate.	ai	2026/04/24
phantom-deps	phantom-dep:create-hash	AI (phantom-deps): create-hash is a standard hashing dependency; phantom detection is a false positive for this crypto utility package.	ai	2026/04/24
phantom-deps	phantom-dep:bn.js	AI (phantom-deps): bn.js is a standard big-number dependency used transitively in crypto operations; phantom detection is a false positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/secp256k1	AI (phantom-deps): @types/* packages are TypeScript type definitions loaded by convention, not directly imported. This is standard practice for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/pbkdf2	AI (phantom-deps): @types/* packages are TypeScript type definitions loaded by convention, not directly imported. This is standard practice for this package.	ai	2026/04/24
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding is used to load the compiled schnorrkel WebAssembly binary — canonical WASM-in-npm pattern, not a hidden payload.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require() in wasm-bindgen generated glue code for schnorrkel WASM module — standard wasm-bindgen output, not malicious.	ai	2026/04/24
source-diff	obfuscated-file:schnorrkel/schnorrkel-js/schnorrkel_js_bg.js	AI (source-diff): This file is a wasm-bindgen generated JS wrapper containing a hex-encoded WebAssembly binary (schnorrkel/sr25519). The pattern is canonical for WASM-in-npm packages and is not obfuscation.	ai	2026/04/24
source-diff	obfuscated-file:schnorrkel/schnorrkel-js/schnorrkel_js_wasm.js	AI (source-diff): File is a base64-encoded WebAssembly binary (AGFzbQ = \0asm magic bytes) generated by wasm-bindgen. Standard pattern for WASM-based crypto libraries in the Polkadot ecosystem.	ai	2026/04/24
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() is standard wasm-bindgen glue code for bridging WASM imports to JS. Input comes from WASM memory, not user-controlled external sources.	ai	2026/04/24
source-diff	encoded-string-file:blake2/asHex.spec.js	AI (source-diff): Long strings in spec files are cryptographic test vectors (expected hash outputs), not encoded payloads.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase is entirely explained by the embedded WASM binary for Schnorrkel signatures, a legitimate cryptographic addition.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): bip39 and @types/bip39 are legitimate, well-known packages expected in a blockchain crypto utility library; addition is consistent with the package's purpose.	ai	2026/04/24
phantom-deps	phantom-dep:@types/webassembly-js-api	AI (phantom-deps): @types/* packages are TypeScript type declarations; not being directly imported is expected and normal for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:@types/xxhashjs	AI (phantom-deps): @types/* packages are TypeScript type declarations; not being directly imported is expected and normal for this package type.	ai	2026/04/24
dependencies	unvetted-dep:@types/bip39	AI (dependencies): @types/bip39 is a TypeScript type definitions package — purely a development/type aid with no runtime risk. Stable false positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/bip39	AI (phantom-deps): @types/bip39 is a TypeScript type definitions package; it is normal for TS libraries to declare @types/* as dependencies for consumers even without direct imports.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance; trusted publisher with 8385 approved packages. Stable false positive for this package.	ai	2026/04/24
source-diff	encoded-string-file:blake2/blake2b/asHex.spec.js	AI (source-diff): Long hex strings in this file are cryptographic test vectors for blake2b correctness verification — standard practice in crypto library test suites, not malicious payloads.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): paritytech-ci is a known trusted publisher in the Polkadot ecosystem; the maintainer addition reflects a legitimate org-level CI transition.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): paritytech-ci is the established Parity Technologies CI publisher for the polkadot-js ecosystem with 67 approved packages and 0 rejections; this transition is legitimate.	ai	2026/04/23
source-diff	encoded-string-file:bundle-polkadot-util-crypto.js	AI (source-diff): Long base64 string is a zlib-compressed WASM binary embedded in the bundle — standard practice for polkadot-js packages, not a malicious payload.	ai	2026/04/23
phantom-deps	phantom-dep:@polkadot/wasm-util	AI (phantom-deps): Same-org scope dependency declared but not directly imported; expected pattern for the @polkadot monorepo structure.	ai	2026/04/21
semgrep	semgrep:shady-links-tlds	AI (semgrep): URLs in this package are blockchain network metadata (website fields), not C2 infrastructure. This is a stable false positive for this package.	ai	2026/04/21

Versions (showing 75 of 375)

Version	Deps	Published
0.24.1	6 / 0	2018-06-22
0.23.2	6 / 0	2018-06-21
0.23.1	6 / 0	2018-06-20
0.22.11	6 / 0	2018-06-15
0.22.10	6 / 0	2018-06-13
0.22.9	6 / 0	2018-06-12
0.22.8	6 / 0	2018-06-12
0.22.7	6 / 0	2018-06-11
0.22.6	6 / 0	2018-06-08
0.22.5	6 / 0	2018-06-07
0.22.4	6 / 0	2018-06-02
0.22.3	6 / 0	2018-06-02
0.22.2	6 / 0	2018-05-25
0.22.1	6 / 0	2018-05-24
0.21.3	6 / 0	2018-05-23
0.21.2	6 / 0	2018-05-22
0.21.1	6 / 0	2018-05-17
0.20.5	6 / 0	2018-05-17
0.20.4	6 / 0	2018-05-16
0.20.3	6 / 0	2018-05-16
0.20.2	5 / 0	2018-05-16
0.19.9	5 / 0	2018-05-16
0.19.8	5 / 0	2018-05-16
0.19.7	5 / 0	2018-05-15
0.19.6	5 / 0	2018-05-08
0.19.5	5 / 0	2018-05-05
0.19.4	5 / 0	2018-04-27
0.19.3	5 / 0	2018-04-27
0.19.2	5 / 0	2018-04-23
0.19.1	5 / 0	2018-04-19
0.18.6	5 / 0	2018-04-17
0.18.5	5 / 0	2018-04-17
0.18.4	5 / 0	2018-04-11
0.18.3	5 / 0	2018-04-11
0.18.2	5 / 0	2018-03-21
0.18.1	5 / 0	2018-03-20
0.17.4	5 / 0	2018-03-19
0.17.3	5 / 0	2018-03-19
0.17.2	5 / 0	2018-03-13
0.17.1	5 / 0	2018-03-08
0.16.6	5 / 0	2018-03-08
0.16.5	5 / 0	2018-02-28
0.16.4	5 / 0	2018-02-28
0.16.3	5 / 0	2018-02-26
0.16.2	5 / 0	2018-02-26
0.16.1	5 / 0	2018-02-23
0.15.10	5 / 0	2018-02-22
0.15.9	5 / 0	2018-02-21
0.15.8	5 / 0	2018-02-21
0.15.7	5 / 0	2018-02-21
0.15.6	5 / 0	2018-02-20
0.15.5	5 / 0	2018-02-20
0.15.4	5 / 0	2018-02-20
0.15.3	5 / 0	2018-02-20
0.15.2	5 / 0	2018-02-16
0.15.1	5 / 0	2018-02-15
0.14.11	5 / 0	2018-02-14
0.14.10	5 / 0	2018-02-13
0.14.9	5 / 0	2018-02-13
0.14.7	5 / 0	2018-02-12
0.14.6	5 / 0	2018-02-12
0.14.5	5 / 0	2018-02-12
0.14.4	5 / 0	2018-02-12
0.14.3	5 / 0	2018-02-08
0.14.2	5 / 0	2018-02-08
0.14.1	5 / 0	2018-02-07
0.13.9	5 / 0	2018-02-07
0.13.8	5 / 0	2018-02-02
0.13.7	5 / 0	2018-02-02
0.13.6	5 / 0	2018-01-31
0.13.5	5 / 0	2018-01-30
0.13.4	5 / 0	2018-01-30
0.13.3	5 / 0	2018-01-30
0.13.2	5 / 0	2018-01-29
0.13.1	5 / 0	2018-01-25

v0.24.1

2 findings

HIGH Long encoded string in modified file: blake2/blake2b/asHex.spec.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.