No confirmed malicious attack surface is established. The package is an API/crypto/database utility library with user-invoked HTTP helpers; the built-in-name dependency appears noisy because require("https") targets Node core.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports library and explicitly calls exported API/logging/session/price helper methods.
Impact
No unsolicited install-time/import-time execution or exfiltration identified.
Mechanism
caller-directed HTTP client/server utilities and cryptographic helpers
Rationale
Static inspection found only package-aligned, caller-invoked networking and crypto/session utilities, with no lifecycle hooks, import-time side effects, code execution primitives, local secret harvesting, or persistence. The scanner's built-in dependency finding is a supply-chain hygiene issue but not concrete malicious behavior in this package version.
Evidence
package.jsondist/index.jsdist/api/HttpsAPIService.jsdist/api/request/RequestAxiosCall.jsdist/api/external/ExternalApiConnection.jsdist/log/Logger.jsdist/log/LoggerManager.jsdist/api/request/crud/common/ServiceSessionManager.jsdist/web3/coingecko/CoingeckoPriceFinder.js
Network endpoints1
api.coingecko.com/api/v3/coins/