{"id":18609622,"url":"https://github.com/polkadot-js/phishing","last_synced_at":"2025-10-21T18:05:38.629Z","repository":{"id":36965792,"uuid":"297339779","full_name":"polkadot-js/phishing","owner":"polkadot-js","description":"A curated list of known less-than-honest operators on Polkadot and Substrate networks. Includes a simple JS utility function to check any host or address against this list.","archived":false,"fork":false,"pushed_at":"2025-10-15T13:00:44.000Z","size":44703,"stargazers_count":206,"open_issues_count":4,"forks_count":162,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-10-16T04:09:45.166Z","etag":null,"topics":["blockchain","phishing","polkadot","polkadot-js","substrate"],"latest_commit_sha":null,"homepage":"https://polkadot.js.org/phishing/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/polkadot-js.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-09-21T12:57:12.000Z","updated_at":"2025-10-15T13:00:47.000Z","dependencies_parsed_at":"2023-12-20T15:50:43.440Z","dependency_job_id":"f305b3e0-6cee-45ff-868c-a105ea060f4f","html_url":"https://github.com/polkadot-js/phishing","commit_stats":{"total_commits":5855,"total_committers":47,"mean_commits":"124.57446808510639","dds":0.5159692570452605,"last_synced_commit":"ff5ac5596bdd3b95867153eb4824480bb443c132"},"previous_names":[],"tags_count":80,"template":false,"template_full_name":null,"purl":"pkg:github/polkadot-js/phishing","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polkadot-js%2Fphishing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polkadot-js%2Fphishing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polkadot-js%2Fphishing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polkadot-js%2Fphishing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/polkadot-js","download_url":"https://codeload.github.com/polkadot-js/phishing/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polkadot-js%2Fphishing/sbom","scorecard":{"id":541629,"data":{"date":"2025-08-11","repo":{"name":"github.com/polkadot-js/phishing","commit":"373d11194b33490fd8546bb074aa36447dbc41cf"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.7,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":5,"reason":"Found 15/30 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/auto-approve.yml:1","Warn: no topLevel permission defined: .github/workflows/auto-merge.yml:1","Warn: no topLevel permission defined: .github/workflows/crosscheck.yml:1","Warn: no topLevel permission defined: .github/workflows/lock.yml:1","Warn: no topLevel permission defined: .github/workflows/pr-any.yml:1","Warn: no topLevel permission defined: .github/workflows/push-master.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":5,"reason":"dependency not pinned by hash detected -- score normalized to 5","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/crosscheck.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/crosscheck.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/crosscheck.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/crosscheck.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/crosscheck.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/crosscheck.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/crosscheck.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/crosscheck.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-any.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/pr-any.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-any.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/pr-any.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-any.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/pr-any.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/push-master.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/push-master.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/push-master.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/push-master.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/push-master.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/push-master.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/push-master.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/polkadot-js/phishing/push-master.yml/master?enable=pin","Info:   0 out of  10 GitHub-owned GitHubAction dependencies pinned","Info:   5 out of   6 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 15 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"58 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-cph5-m8f7-6c5x","Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx","Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6","Warn: Project is vulnerable to: GHSA-xq7p-g2vc-g82p","Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc","Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx","Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc","Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97","Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj","Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j","Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27","Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh","Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42","Warn: Project is vulnerable to: GHSA-896r-f27r-55mw","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55","Warn: Project is vulnerable to: GHSA-px4h-xg32-q955","Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w","Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j","Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-x3m3-4wpv-5vgc","Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg","Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5","Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p","Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6","Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj","Warn: Project is vulnerable to: GHSA-wpg7-2c88-r8xv","Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9","Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw","Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc","Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh","Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p","Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v","Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986","Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6","Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v","Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7","Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T08:20:21.903Z","repository_id":36965792,"created_at":"2025-08-20T08:20:21.903Z","updated_at":"2025-08-20T08:20:21.903Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280308833,"owners_count":26308534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-21T02:00:06.614Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blockchain","phishing","polkadot","polkadot-js","substrate"],"created_at":"2024-11-07T03:06:40.197Z","updated_at":"2025-10-21T18:05:38.602Z","avatar_url":"https://github.com/polkadot-js.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# @polkadot/phishing\n\nA curated list of potentially less-than-honest sites inclusive of a simple JS utility function to check any host against this list.\n\n\n### Additions\n\nTo add a new site, edit [all.json](https://github.com/polkadot-js/phishing/edit/master/all.json) and add any new entries, single or multiple is allowed per edit.\n\nTo add a new scam address (typically per site), edit [address.json](https://github.com/polkadot-js/phishing/edit/master/address.json) and add it in the correct section (which is keyed by the site providing them).\n\n\n### Availability\n\nMaking additions to the list will be reflected on merge at [polkadot.js.org/phishing/all.json](https://polkadot.js.org/phishing/all.json) \u0026  [polkadot.js.org/phishing/address.json](https://polkadot.js.org/phishing/address.json). These can be consumed via [@polkadot/phishing](https://github.com/polkadot-js/phishing/tree/master/packages/phishing) and other tools capable of parsing JSON.\n\nThe `{address, all}.json` files are also published to IPFS, via [ipns/phishing.dotapps.io](https://ipfs.io/ipns/phishing.dotapps.io/). Libraries can also consume from here for a decentralized approach.\n\n\n## Notable users\n\nThe following wallets integrate either address or site blocking from these lists:\n\n\u003c!--\n\nNote to editors: Additions welcome. Keep it alphabetical after the\norg-specific projects, i.e. polkadot{.js} first, rest alphabetical\nfollowing that\n\n--\u003e\n\n- [polkadot{.js} extension](https://github.com/polkadot-js/extension)\n- [polkadot{.js} apps](https://polkadot.js.org/apps)\n- [Nova Wallet](https://novawallet.io/)\n- [Fearless Wallet](https://fearlesswallet.io/)\n- [polkadot js Plus](http://polkadotjs.plus)\n- [SubWallet](https://subwallet.app/)\n- [Talisman](https://talisman.xyz)\n\n\n### Integration\n\nSince the lists are published as JSON, integration for any non-JS wallets (only a JS library that is provided) should be simple - retrieve the applicable list, parse the JSON, and do the required checks either on the host or address as per the requirements. The Javascript library does have some features that may be worth thinking about for other integrations -\n\n- instead of retrieving the list each time a request is made, a local copy is cached for 45 minutes and then re-retrieved when the timer expires (as a request is made)\n- for address checks, the check is done on the decoded ss58 address to ensure that network-jumps with the same keys are avoided (so addresses do not have to be re-added for other networks, a single entry will cover all)\n\n\n### Contributing\n\nThese lists are intended to be maintained with active input from the community, so contributions are welcome, either via a pull request (edit above as described in additions) or by [logging an issue](https://github.com/polkadot-js/phishing/issues).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpolkadot-js%2Fphishing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpolkadot-js%2Fphishing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpolkadot-js%2Fphishing/lists"}