GitHub malicious-dependency incident touching protocol deps

deBridge's assessment for RD-F-160 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

**Phase:** v1 deferred (P1) **Applicable:** Yes — debridge-finance repos consume npm/GitHub dependencies. A supply-chain attack on a dependency would be relevant. **Current posture:** No GitHub advisory flagging a malicious release in deBridge's dependency tree detected as of 2026-04-26. The recent Halborn audits (through 2024-12-30) would have been sensitive to supply-chain issues. **Would fire today:** No — no current advisory found. **Source:** https://github.com/debridge-finance/debridge-...

Sources #

GitHub
https://github.com/debridge-finance/debridge-securityretrieved 2026-04-28

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol debridge factor RD-F-160 score gray collected_at 2026-04-28 01:27:58