pumpfun

This module provides many read-only API helpers (low risk) and also includes flows that require loading a local Solana keypair and signing VersionedTransaction objects returned by a remote endpoint. The most significant security risk is the design that posts the user's public key to a remote 'trade-local' endpoint (default https://pumpportal.fun/api/trade-local or an env override) and blindly deserializes, signs, and broadcasts the transaction bytes returned. If the remote endpoint (or the domain's DNS/HTTPS chain) is compromised, an attacker can construct malicious transactions (transfer funds, set authorities, approve token allowances, etc.) and have the user sign them. This is a high-impact supply-chain/network risk. Additional lower risks include fetching arbitrary images (possible SSRF when run in privileged environments) and uploading user-supplied metadata. Recommendations: require explicit user confirmation and transaction inspection before signing; avoid signing transactions returned verbatim from remote services without client-side verification; restrict and validate PUMPFUN_LOCAL_TX_URL and ensure TLS/DNS security; keep private keys out of easily compromised envs. No direct evidence the code is itself malware, but its transaction-signing pattern represents a potentially dangerous trust model.