tempo-docs

No clear evidence of stealthy malware (no obfuscation, dynamic execution, or exfiltration behavior is visible in this fragment). However, the module is operationally high-risk because it embeds private key material for signing and starts an HTTP relay/signing listener on port 3000. This could enable unauthorized transaction/signing actions if deployed improperly or if relay access is not strictly controlled. Treat the package as sensitive and verify that real private keys are never shipped and that the server is not reachable beyond intended boundaries.

No direct malware is evidenced by executable code in this lockfile. The notable supply-chain risk indicators are (1) a dependency resolved from a non-standard external URL source (vocs via pkg.pr.new) and (2) local patchedDependencies that modify third-party package artifacts via patch files. These should be verified by auditing patch contents and validating the provenance/equivalence of the non-standard tarball; also review runtime telemetry configuration and apply network egress controls to reduce privacy/exfil risk.