defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Stake DAO's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No GHSA or npm security advisory for a malicious release in a dependency consumed by stake-dao/contracts-monorepo detected in public data as of 2026-05-16. Package.json is present (data cache: package_json_present = true). No GitHub security.md present (security_md_present = false) — a hygiene gap but not a Cat 11 fire condition. No active malicious-dependency incident surfaces in OSINT search for Stake DAO packages.

Sources #

  • GitHub
    stake-dao/contracts-monorepo | GitHubstake-dao/contracts-monorepo — package_json_present: true; security_md_present: false; no GHSA advisories detectedretrieved 2026-05-16
  • Internal
    00-data-cache.json stake-dao github fieldsData cache github section: package_json_present: true, security_md_present: falseretrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-160 score green collected_at 2026-05-16 12:29:20