PkgRadar

Package evidence

[email protected]

Remote Dependency Spec: dependencies.ecpair="https://github.com/EdgeApp/ecpair.git#b193eb8ea2ec0c93b528f4b0223a605407ff43e4"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
136
Versions published
83Mature · −50% score
First published
Jun 2022
Publisher
samholmes

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishersamholmes
Artifact bytes690,805
Previous version3.8.9
Published2025-12-19T21:28:31.518Z
SHA-256a5e031ce7ac75611edbc3b88d04a73a940173efb9e64c4d67f13eb4d81efca88

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.ecpair="https://github.com/EdgeApp/ecpair.git#b193eb8ea2ec0c93b528f4b0223a605407ff43e4"

1 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
6Score
3.8.10Version
Status history (1 event)
  1. newavailable · risk high · score 6 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highRemote Dependency Specpackage.jsondependencies.ecpair="https://github.com/EdgeApp/ecpair.git#b193eb8ea2ec0c93b528f4b0223a605407ff43e4"12

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
dependencies.ecpairhttps://github.com/EdgeApp/ecpair.git#b193eb8ea2ec0c93b528f4b0223a605407ff43e4error0invalid gzip header

Manifest

Package metadata

Scripts12
  • cleanrimraf android/src/main/assets/edge-currency-plugins dist lib
  • coveragenyc mocha && nyc report --reporter=cobertura --reporter=html
  • fixeslint . --fix
  • libsucrase -q -t typescript,imports -d ./lib ./src
  • linteslint .
  • precommitlint-staged && npm-run-all types test
  • preparehusky install && patch-package && npm-run-all clean lib types webpack
  • startwebpack serve
  • testmocha
  • typestsc
  • verifynpm-run-all prepare lint types test
  • webpackwebpack && cp -r android/src/main/assets/edge-currency-plugins dist
Dependencies24
  • @bitcoinerlab/secp256k1^1.2.0
  • altcoin-js^1.0.0
  • async-mutex^0.2.6
  • baselet^0.3.0
  • biggystring^4.2.3
  • bip32^2.0.5
  • bip32grs^2.0.5
  • bip39^3.0.2
  • bitcoinjs-message^2.2.0
  • blake-hash^2.0.0
  • bn.js^5.1.2
  • bs58^4.0.1
  • bs58grscheck^2.1.2
  • bs58smartcheck^2.0.4
  • cleaners^0.3.17
  • disklet^0.4.5
  • ecpairhttps://github.com/EdgeApp/ecpair.git#b193eb8ea2ec0c93b528f4b0223a605407ff43e4
  • edge-sync-client^0.2.7
  • memlet^0.1.7
  • uri-js^4.4.0
  • url-parse^1.5.2
  • wif-smart^2.0.0
  • wifgrs^2.0.6
  • ws^7.4.6