registry  /  @hfunlabs/hypurr-connect  /  0.1.25

@hfunlabs/hypurr-connect@0.1.25

React authentication and wallet connectivity library for the [Hyperliquid](https://hyperliquid.xyz) decentralized exchange via the [Hypurr](https://hypurr.fun) gRPC backend. Provides two authentication paths — **Telegram OAuth** and **EOA wallet** (MetaMa

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a React wallet/auth connector that performs user-initiated Telegram, gRPC, and Hyperliquid API calls.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the React provider and initiates login, wallet, trade, or agent actions
Impact
No evidence of unauthorized credential harvesting, persistence, destructive behavior, or exfiltration
Mechanism
User-invoked wallet authentication and exchange transport
Rationale
Static inspection shows suspicious primitives are package-aligned wallet/auth behavior rather than concrete attack behavior. No install-time execution, hidden code execution, filesystem harvesting, or unconsented exfiltration was found.
Evidence
package.jsonsrc/index.tssrc/grpc.tssrc/GrpcExchangeTransport.tssrc/HypurrConnectProvider.tsxsrc/agent.tssrc/privateKeySigner.tsdist/index.js
Network endpoints9
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyz/infoapi.hyperliquid-testnet.xyz/infoapi.hyperliquid.xyz/exchangeapi.hyperliquid-testnet.xyz/exchangeapi-ui.hyperliquid-testnet.xyz/exchangefonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Google+Sans+Code:wght@400;500;600;700&display=swap

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare script "husky" and a git dependency on hypurr-grpc
  • src/agent.ts stores generated agent private keys in localStorage by user address
  • src/HypurrConnectProvider.tsx stores Telegram JWT in localStorage and exchanges auth codes over fetch
Evidence against
  • package.json has no install/postinstall lifecycle hook and entrypoint is dist/index.js
  • Network calls are aligned with wallet/auth functionality: Hypurr gRPC/auth/media and Hyperliquid APIs
  • No child_process, fs file reads/writes, eval/Function, native binary loading, or environment harvesting found
  • Agent key generation and signing are user-invoked wallet flows, with local storage only and no unrelated exfiltration
  • Auth postMessage is restricted to window.location.origin and validates callback state
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependencyNoLicense
scanned 22 file(s), 470 KB of source, external domains: api-ui.hyperliquid-testnet.xyz, api.hyperliquid-testnet.xyz, api.hyperliquid.xyz, auth.hypurr.fun, fonts.googleapis.com, grpc.hypurr.fun, media.hypurr.fun, www.w3.org

Source & flagged code

3 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Dependency Evidence

package.json has prepare script "husky" and a git dependency on hypurr-grpc

package.jsonView on unpkg
src/agent.tsView file
Published source reference
Low
Ai Review Evidence

src/agent.ts stores generated agent private keys in localStorage by user address

src/agent.tsView on unpkg
src/HypurrConnectProvider.tsxView file
Published source reference
Low
Ai Review Evidence

src/HypurrConnectProvider.tsx stores Telegram JWT in localStorage and exchanges auth codes over fetch

src/HypurrConnectProvider.tsxView on unpkg

Findings

2 Medium8 Low
MediumNetwork
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License
LowSuspicious Dependency Evidencepackage.json
LowAi Review Evidencesrc/agent.ts
LowAi Review Evidencesrc/HypurrConnectProvider.tsx