GitHub malicious-dependency incident touching protocol deps
Kinetiq's assessment for RD-F-160 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Post-v1 signal infrastructure. Applicable: yes — Kinetiq uses OpenZeppelin contracts and Hyperliquid HyperEVM precompiles. No GitHub security advisory or npm/crates.io malicious-release incident found in public searches affecting Kinetiq dependencies in the trailing 90 days as of 2026-05-17. Core contracts repo is private — GitHub advisory monitoring not possible without opt-in.
Sources #
- GitHubKinetiq Research GitHub Orggithub.com/kinetiq-research — 2 public repos (hl-rs Rust SDK, f1rewall Discord gateway); core contracts repo private; no public advisory for these repos foundretrieved 2026-05-17
Methodology #
Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol kinetiq factor RD-F-160 score gray collected_at 2026-05-17 15:29:57