PkgRadar

Package evidence

[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishercoinley-fintech
Artifact bytes2,699,397
Previous version0.11.0
Published2026-05-24T12:37:03.953Z
SHA-25625f840e83f8c6cbfc88d7d5b30b1c69882e1fb9ab8a0c378553c1869116a8d53

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
47Score
0.12.0Version
Status history (1 event)
  1. newavailable · risk high · score 47 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

coinley-fintech

4 members · evidence strength 73

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/index.umd.jsmatched "raw.githubusercontent.com"12
mediumObfuscation Densitypackage/dist/index.umd.jshigh encoded/escaped-token density12
mediumLarge Javascript Payloadpackage/dist/coinley-vanilla.min.js6111652 bytes10
mediumLarge Javascript Payloadpackage/dist/index-CgA1qDmB.js2032046 bytes10
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/index.umd.jsmatched "raw.githubusercontent.com"12
mediumObfuscation Densitypackage/dist/index.umd.jshigh encoded/escaped-token density12
mediumLarge Javascript Payloadpackage/dist/coinley-vanilla.min.js6111652 bytes10
mediumLarge Javascript Payloadpackage/dist/index-CgA1qDmB.js2032046 bytes10
lowObfuscationpackage/dist/index.umd.jsmatched "fromCharCode"3

Manifest

Package metadata

Scripts7
  • buildvite build && vite build --config vite.config.vanilla.js
  • devvite
  • linteslint .
  • previewvite preview
  • probe:acrossnode scripts/test-across-fallback.js
  • probe:across-destinationsnode scripts/compare-across-destinations.js
  • probe:lifinode scripts/test-lifi-routes.js
Dependencies17
  • @coinley/wallet-connect-core^0.5.1
  • @reown/appkit^1.8.14
  • @reown/appkit-adapter-solana^1.8.14
  • @reown/appkit-adapter-wagmi^1.8.14
  • @solana/spl-token^0.4.14
  • @solana/wallet-adapter-base^0.9.27
  • @solana/wallet-adapter-react^0.15.39
  • @solana/wallet-adapter-react-ui^0.9.39
  • @solana/wallet-adapter-wallets^0.19.37
  • @solana/web3.js^1.98.4
  • @walletconnect/modal^2.7.0
  • axios^1.11.0
  • buffer^6.0.3
  • framer-motion^11.18.2
  • lucide-react^0.453.0
  • mixpanel-browser^2.72.0
  • qrcode^1.5.4