defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

GMX v2 (GMX Synthetics)'s assessment for RD-F-160 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No GitHub Security Advisory (GHSA) specifically targeting a dependency used by gmx-synthetics documented at assessment date. The September 2025 Shai-Hulud npm supply chain attack (CISA advisory 2025-09-23) and October 2025 PhantomRaven campaign targeted broad npm ecosystems — no specific gmx-synthetics dependency confirmed compromised. data cache: package_json_present: true, oz_contracts_version: 4.9.3. OpenZeppelin 4.9.3 has no critical unpatched advisory per public GHSA search. Requires ongoing GHSA feed monitoring.

Sources #

  • URL
    https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystemretrieved 2026-05-05
  • GitHub
    https://github.com/gmx-io/gmx-syntheticsretrieved 2026-05-05

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol gmx-v2 factor RD-F-160 score gray collected_at 2026-05-05 11:15:06