GitHub malicious-dependency incident touching protocol deps

Sanctum's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No GitHub security advisory flagging a malicious release in Sanctum's Rust/Cargo dependency chain found as of 2026-05-04. The unstake-program README references cargo-audit and Soteria scanner usage (per profile §11), indicating security-conscious dependency management. No active CVE or GHSA against Sanctum's dependencies identified. v1 deferred signal.

Sources #

GitHub
Igneous Labs GitHub — no dependency advisoriesigneous-labs GitHub org — no security advisories found for Sanctum reposretrieved 2026-05-04

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sanctum factor RD-F-160 score green collected_at 2026-05-04 18:49:23