defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Jupiter Perpetual Exchange's assessment for RD-F-160 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub-flagged malicious-dependency incident. Jupiter Perps is closed-source (no public perps repo). Cannot perform direct dependency audit. Security advisories affecting Anchor framework or Solana BPF runtime crates would affect Jupiter Perps as an indirect dependency, but the closed-source binary prevents verification of which specific dependency versions are embedded. No public GitHub security advisory against Anchor or Solana core BPF libraries identified that would specifically affect Jupiter Perps as of 2026-05-16. Closed-source nature is the binding constraint.

Sources #

  • URL
    jup-ag GitHub Organizationjup-ag GitHub org — 185 public repos; no perps source repo for dependency audit. Closed-source binary.retrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jupiter-perps factor RD-F-160 score gray collected_at 2026-05-16 01:53:11