npm · registry.npmjs.org

@bitgo/account-lib

Native Addon Gyp Action, Credential file access, Large Javascript Payload

Why PkgRadar flagged 1.7.0

Severity	Signal	Evidence
high	Native Addon Gyp Action	package/plugins/trx/node_modules/secp256k1/binding.gyp
medium	Credential file access	package/plugins/trx/node_modules/global-prefix/index.js

Showing signal labels only. Sign in to view the exact matched indicators for each finding.

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.7.0`	High risk	15	2026-06-20
`1.7.1`	High risk	15	2026-06-20
`2.0.0-rc.1`	High risk	15	2026-06-20
`27.23.2`	Low risk	0	2026-06-18
`27.23.1`	Low risk	0	2026-06-16
`27.23.0`	Low risk	0	2026-06-09
`27.22.5`	Low risk	0	2026-06-04
`27.22.4`	Low risk	0	2026-06-03
`27.22.3`	Low risk	0	2026-06-02
`27.22.2`	Low risk	0	2026-05-28
`27.22.0`	Low risk	0	2026-05-27
`27.22.1`	Low risk	0	2026-05-27

Campaign attribution

Part of the Miasma worm campaign.

Related campaigns

Block this in CI

PkgRadar gates @bitgo/account-lib (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @bitgo/[email protected]