Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
@bitgo/bip174
Advanced tools
bip174
A BIP174 compatible partial Transaction encoding library.
Bitcoin users, use bitcoinjs-lib's Psbt class.
This library is separate as an attempt to separate Bitcoin specific logic from the encoding format.
I apologize if this library is hard to use. Removing Bitcoin specific logic from "Partially Signed BITCOIN Transaction" format was kind of hard.
Responsibilities Covered
- Creator: You can create a new psbt and add inputs and outputs, then add extra info to the inputs using each individual method. (Note: Psbt.fromTransaction can create a PSBT from a serialized transaction, but all scriptSigs and witnessStacks must be empty, and the transaction should not have the segwit marker and flagbyte.)
- Updater: You can add one of all types of the input and output information. Each function has strict type checking at runtime.
- Combiner: using Psbt.combine(...Psbt[]), it will do a dumb merge gathering all the new key value pairs from the subsequent PSBTs into itself. The psbt calling
combinehas highest priority.
Responsibilities NOT Covered
In order to keep this library as separate from Bitcoin logic as possible, This library will not implement the following responsibilities. But rather, down the road bitcoinjs-lib will adopt this class and extend it internally to allow for the following:
- Signer: This class has no way to sign. You may add a PartialSig object though.
- Extractor: This class has minimal knowledge of Bitcoin transactions, so creating a full transaction from a PSBT must be done with a bitcoin aware extended class.
- Input Finalizer: This class, again, has no knowledge of whether an input is finished.
Static methods and addInput / addOutput require an abstract Transaction object
- Static methods: You must pass a
TransactionFromBuffertyped function. Seets_src/lib/interfaces.tsfor info on theTransactioninterface and theTransactionFromBufferfunction. - addInput/addOutput methods: The constructor takes a
Transactionabstract interface that has an addInput/addOutput method which will be called.
Example
const { Psbt } = require('bip174')
const { PsbtTransaction , pTxFromBuffer } = require('./someImplementation')
// Psbt requires a Transaction interface to create an instance, as well as
// A function that turns a buffer into that interface. See Transaction and TransactionFromBuffer
// in ts_src/lib/interfaces.ts ...
// See tests/utils/txTools file for an example of a simple Bitcoin Transaction.
// Also see BitcoinJS-lib for an extended class that uses the Transaction class internally.
// Anyone using this library for Bitcoin specifically should use bitcoinjs-lib
// Your PsbtTransaction will have a toBuffer function to allow for serialization
const tx = pTxFromBuffer(someTransactionBuffer);
const psbt = new Psbt(tx)
// OR
// This will parse the PSBT, and use the function you pass to parse the Transaction part
// the function should throw if the scriptSig section is not empty
const psbt = Psbt.fromBuffer(somePsbtBuffer, pTxFromBuffer)
psbt.addInput({
hash: '865dce988413971fd812d0e81a3395ed916a87ea533e1a16c0f4e15df96fa7d4',
index: 3,
})
psbt.addInput({
hash: 'ff5dce988413971fd812d0e81a3395ed916a87ea533e1a16c0f4e15df96fa7d4',
index: 1,
})
psbt.addOutput({
script: Buffer.from(
'a914e18870f2c297fbfca54c5c6f645c7745a5b66eda87',
'hex',
),
value: 1234567890,
})
psbt.addOutput({
script: Buffer.from(
'a914e18870f2c297fbfca54c5c6f645c7745a5b66eda87',
'hex',
),
value: 987654321,
})
psbt.addRedeemScriptToInput(0, Buffer.from(
'00208c2353173743b595dfb4a07b72ba8e42e3797da74e87fe7d9d7497e3b2028903',
'hex',
))
psbt.addWitnessScriptToInput(0, Buffer.from(
'522103089dc10c7ac6db54f91329af617333db388cead0c231f723379d1b9903' +
'0b02dc21023add904f3d6dcf59ddb906b0dee23529b7ffb9ed50e5e861519268' +
'60221f0e7352ae',
'hex',
))
psbt.addBip32DerivationToInput(0, {
masterFingerprint: Buffer.from('d90c6a4f', 'hex'),
pubkey: Buffer.from(
'023add904f3d6dcf59ddb906b0dee23529b7ffb9ed50e5e86151926860221f0e73',
'hex',
),
path: "m/0'/0'/3'",
})
psbt.addBip32DerivationToInput(0, {
masterFingerprint: Buffer.from('d90c6a4f', 'hex'),
pubkey: Buffer.from(
'03089dc10c7ac6db54f91329af617333db388cead0c231f723379d1b99030b02dc',
'hex',
),
path: "m/0'/0'/2'",
})
const b64 = psbt.toBase64();
LICENSE MIT
FAQs
Fork of bip174 with BitGo specific changes
The npm package @bitgo/bip174 receives a total of 104 weekly downloads. As such, @bitgo/bip174 popularity was classified as not popular.
We found that @bitgo/bip174 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Package last updated on 23 Jan 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025