Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@sodax/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@sodax/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "cUrl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 93 · status changed
Related candidates
Linked campaigns and clusters
robi_icon_foundation
2 members · evidence strength 60Evidence
Static findings
10 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/chunk-C6M34IVL.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/chunk-MWWVB7TD.mjs | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/chunk-NAKCAL2M.mjs | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/chunk-VCESC6QT.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/chunk-WPZOLGVB.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/chunk-X7BHR7WS.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/index.mjs | matched "cUrl " | 12 |
Show all 10 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/chunk-C6M34IVL.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/chunk-MWWVB7TD.mjs | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/chunk-NAKCAL2M.mjs | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/chunk-VCESC6QT.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/chunk-WPZOLGVB.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/chunk-X7BHR7WS.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/index.mjs | matched "cUrl " | 12 |
| low | Obfuscation | package/dist/chunk-JQ4H4GJ5.mjs | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/chunk-VCESC6QT.mjs | matched "Buffer.from(psbtBase64, \"base64" | 3 |
| low | Obfuscation | package/dist/index.mjs | matched "\\u2014" | 3 |
Manifest
Package metadata
Scripts10
buildNODE_OPTIONS=--max-old-space-size=8192 tsupcheck-exportsattw --pack --profile esm-onlycheck:circular-depsmadge --circular $(find ./src -name '*.ts' -o -name '*.tsx')check:knipknipcheckTstsc --noEmitcleanrm -rf dist && rm -rf node_modules && rm -rf .turbodevtsup --watch ./srclintbiome lint . --writeprettybiome format . --writetestvitest run
Dependencies24
@creit.tech/stellar-wallets-kit^1.7.5@hot-labs/near-connect0.10.0@injectivelabs/networks1.18.14@injectivelabs/sdk-ts1.18.14@injectivelabs/ts-types1.18.14@injectivelabs/wallet-base1.18.14@injectivelabs/wallet-core1.18.14@injectivelabs/wallet-cosmos1.18.14@mysten/dapp-kit0.14.18@mysten/sui1.21.2@sodax/libs0.0.1-rc.0@sodax/types2.0.0-rc.5@sodax/wallet-sdk-core2.0.0-rc.5@solana/spl-token0.4.9@solana/wallet-adapter-react0.15.35@solana/web3.js1.98.0@stellar/stellar-sdk15.1.0icon-sdk-js1.5.3immer10.1.1near-api-js7.2.0sats-connect^4.2.1viem2.29.2wagmi2.16.9zustand4.5.2