Package evidence
[email protected]
Remote Dependency Spec: dependencies.@fioprotocol/fiosdk="https://github.com/EdgeApp/fiosdk_typescript.git#47df5818442edec69b735d6a723747aad33b8d71"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,039Niche · −30% score
- Versions published
- 573Mature · −50% score
- First published
- Sep 2018
- Publisher
- mattdpiche
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.@fioprotocol/fiosdk="https://github.com/EdgeApp/fiosdk_typescript.git#47df5818442edec69b735d6a723747aad33b8d71"
2 remote tarball(s) were followed statically.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 36 · status changed
Evidence
Static findings
3 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.@fioprotocol/fiosdk="https://github.com/EdgeApp/fiosdk_typescript.git#47df5818442edec69b735d6a723747aad33b8d71" | 12 |
| high | Remote Dependency Spec | package.json | dependencies.@zano-project/zano-utils-js="https://github.com/EdgeApp/zano-utils-js/releases/download/v0.0.4-edge.1/zano-project-zano-utils-js-0.0.4.tgz" | 12 |
| high | New Remote Dependency Vs Previous | package.json | dependencies.@zano-project/zano-utils-js added in 4.80.0-1 vs 4.79.1: "https://github.com/EdgeApp/zano-utils-js/releases/download/v0.0.4-edge.1/zano-project-zano-utils-js-0.0.4.tgz" | 12 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.@fioprotocol/fiosdk="https://github.com/EdgeApp/fiosdk_typescript.git#47df5818442edec69b735d6a723747aad33b8d71" | 12 |
| high | Remote Dependency Spec | package.json | dependencies.@zano-project/zano-utils-js="https://github.com/EdgeApp/zano-utils-js/releases/download/v0.0.4-edge.1/zano-project-zano-utils-js-0.0.4.tgz" | 12 |
| high | New Remote Dependency Vs Previous | package.json | dependencies.@zano-project/zano-utils-js added in 4.80.0-1 vs 4.79.1: "https://github.com/EdgeApp/zano-utils-js/releases/download/v0.0.4-edge.1/zano-project-zano-utils-js-0.0.4.tgz" | 12 |
| low | Large Javascript Payload | package/android/src/main/assets/edge-currency-accountbased/edge-currency-accountbased.js | 28442470 bytes | 0 |
Remote payloads
Followed remote artifacts
| Source | URL | Risk | Score | Summary |
|---|---|---|---|---|
| dependencies.@fioprotocol/fiosdk | https://github.com/EdgeApp/fiosdk_typescript.git#47df5818442edec69b735d6a723747aad33b8d71 | error | 0 | invalid gzip header |
| dependencies.@zano-project/zano-utils-js | https://github.com/EdgeApp/zano-utils-js/releases/download/v0.0.4-edge.1/zano-project-zano-utils-js-0.0.4.tgz | error | 0 | unexpected end of file |
Manifest
Package metadata
Scripts16
cleanrimraf dist lib android/src/main/assets/edge-currency-accountbasedclinode -r sucrase/register cli/cli.tsfixeslint . --fixlintNODE_OPTIONS=--max-old-space-size=8192 eslint .make-checkpointsnode -r sucrase/register scripts/makeCheckpoints.tsmake-cosmos-chain-jsonnode -r sucrase/register ./scripts/cosmos-ts-protos/generate-chain-json.tsmake-cosmos-protosnode -r sucrase/register ./scripts/cosmos-ts-protos/generate-ts-protos.tsnettestnyc mocha --config .nettest.mocharc.jsonnodesucrase -d ./lib -q -t imports,typescript ./srcprecommitlint-staged && npm-run-all types testpreparehusky install && patch-package && npm-run-all clean node types webpackstartwebpack servetestnyc mochatypestscverifynpm-run-all prepare lint types testwebpackwebpack && cp -r android/src/main/assets/edge-currency-accountbased dist
Dependencies55
@chain-registry/client^2.0.28@chain-registry/types^2.0.28@cosmjs/stargate^0.32.3@emurgo/cardano-serialization-lib-nodejs^14.1.1@ethereumjs/common^4.0.0@ethereumjs/tx^5.0.0@fioprotocol/fiosdkhttps://github.com/EdgeApp/fiosdk_typescript.git#47df5818442edec69b735d6a723747aad33b8d71@greymass/eosio^0.6.8@greymass/eosio-resources^0.7.0@hashgraph/sdk^2.44.0@haverstack/axios-fetch-adapter^0.12.0@metaplex-foundation/mpl-token-metadata^3.4.0@metaplex-foundation/umi^1.2.0@mysten/sui^1.18.0@polkadot/api^16.5.1@solana/spl-token^0.4.6@solana/web3.js^1.91.8@taquito/http-utils^23.0.2@taquito/local-forging^23.0.2@taquito/rpc^23.0.2@taquito/signer^23.0.2@taquito/taquito^23.0.2@taquito/utils^23.0.2@ton/core^0.59.0@ton/crypto^3.3.0@ton/ton^15.1.0@zano-project/zano-utils-jshttps://github.com/EdgeApp/zano-utils-js/releases/download/v0.0.4-edge.1/zano-project-zano-utils-js-0.0.4.tgz@zondax/izari-filecoin^1.2.6algosdk^2.1.0assert-log^0.2.2- …and 25 more.