crypto — Greenflagged

This package is no longer supported and has been deprecated. To avoid malicious use, npm is hanging on to the package name.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ehsalazar

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
typosquat	typosquat.levenshtein:bcrypt	AI (typosquat): 'crypto' is a well-established, legitimate package with 1.6M weekly downloads and 5489 days of history. It is not a typosquat of 'bcrypt'; the Levenshtein match is a false positive.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected and not a risk signal for this package.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Empty/minimal payload is intentional for a deprecation placeholder package; stable for this package.	ai	2026/04/24
source-diff	source-size-dropped	AI (source-diff): Code removal is intentional — package was converted to an empty deprecation holder for a Node.js built-in.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer is part of npm's deprecate-holder process; stable for this package.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher change is part of npm's namespace reclamation for Node.js core module names; expected and stable.	ai	2026/04/24
maintainer-change	maintainer-takeover	AI (maintainer-change): Maintainer change reflects npm's reclamation of a Node.js built-in name to the npm/deprecate-holder org; stable for this package.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Original maintainer removed as part of npm namespace reclamation; expected.	ai	2026/04/24

Versions (showing 4 of 4)

Version	Deps	Published
1.0.1	0 / 0	2017-08-10
1.0.0	0 / 0	2017-08-10
0.0.3	0 / 1	2011-11-08
0.0.1	0 / 1	2011-04-14

v1.0.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (gozala) were replaced by new maintainers (ehsalazar). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: gozala → ehsalazar (on 2017-08-10) provenance

This version was published by a different npm account than previous versions on 2017-08-10. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.