
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@starkscan/sdk
Advanced tools
TypeScript SDK for the Starkscan Starknet explorer API.
Status: public 0.1.2 stable release. The npm latest tag points to the real
SDK package. Use the untagged install for normal setup and pin 0.1.2 for
unattended agents or production services that need reproducible installs.
npm install @starkscan/sdk
Exact pin for unattended services:
npm install @starkscan/sdk@0.1.2
Prerelease tags such as @beta are maintainer-directed test channels only.
Normal users and agents should use the default package or the exact 0.1.2
pin above.
import { createStarkscanClient } from '@starkscan/sdk';
const starkscan = createStarkscanClient({
apiKey: process.env.STARKSCAN_API_KEY!,
chainId: 'SN_MAIN',
});
const status = await starkscan.status();
console.log(status.chainId, status.headBlockNumber ?? status.latestIndexedBlockNumber);
The SDK defaults to https://api.starkscan.co, sends
X-Starkscan-Api-Key, and uses the same REST contract as the CLI. MCP uses a
separate transport: POST https://api.starkscan.co/mcp on the API domain, or
POST {appBaseUrl}/api/mcp on app-origin deployments. Set
STARKSCAN_BASE_URL only for preview or self-hosted Starkscan hosts, and map
STARKSCAN_CHAIN to the SDK chainId option when you want env-driven clients.
The package is ESM-only and supports Node.js 18 or newer. CommonJS consumers
should use dynamic import('@starkscan/sdk').
withChain('SN_SEPOLIA').const block = await starkscan.block(8279910, 5);
const txs = await starkscan.blockTransactions(8279910, undefined, 25);
const tx = await starkscan.transaction('0x...');
const activity = await starkscan.addressActivity('0x...');
const holdings = await starkscan.addressTokenHoldings('0x...');
const transfers = await starkscan.tokenTransfers('0xtoken', {
addresses: ['0xwalletA', '0xwalletB'],
limit: 100,
});
Starkscan responses expose freshness, exactness, pagination, and truncation signals directly. Use helper functions instead of guessing whether a response is complete:
import { getCompleteness, getLagBlocks, hasMorePages, isExact } from '@starkscan/sdk';
const holdings = await starkscan.addressTokenHoldings('0x...');
const completeness = getCompleteness(holdings);
if (isExact(holdings) === false) {
console.warn('Holdings are bounded or partial', completeness.flags);
}
if (hasMorePages(await starkscan.addressActivity('0x...'))) {
console.log('Continue with nextCursor before summarizing totals');
}
const status = await starkscan.status();
console.log('index lag', getLagBlocks(status));
Prefer createStarkscanClient() for application code. If you use HttpClient
directly, generic calls such as getJson<T>(), postJson<T>(), or
putJson<T>() return unknown unless you pass a JsonResponseValidator<T>.
That keeps network-boundary validation explicit.
await http.getJson<MyEnvelope>(path, undefined, validateMyEnvelope);
await http.postJson<MyEnvelope>(path, body, validateMyEnvelope);
await http.putJson<MyEnvelope>(path, body, validateMyEnvelope);
Socket is an external package-risk signal, not a Starkscan security certificate. The public trust source is Starkscan docs because the canonical engineering repository is private. Package promotion also requires checked release scripts, packed-tarball smoke, npm Trusted Publishing/OIDC for CI publishes, and live API smoke proof.
latest: default public 0.1.2 release.beta: prerelease channel for explicit tests only.alpha: historical prerelease channel; use only when directed during rollback.Server-side key tiers control route access. The package stays the same; entitlements do not.
FAQs
TypeScript SDK for the Starkscan Starknet block explorer API.
We found that @starkscan/sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.