PkgRadar

Composer · packagist.org

jolicode/castor

Remote Payload: matched "github.com/crazywhalecc/static-php-cli/releases/download"

Why PkgRadar flagged v1.5.0

SeveritySignalEvidence
mediumRemote Payloadmatched "github.com/crazywhalecc/static-php-cli/releases/download" · jolicode-castor-6fb32aa/src/Console/Command/CompileCommand.php
mediumRemote Payloadmatched "curl " · jolicode-castor-6fb32aa/src/Listener/UpdateCastorListener.php
mediumRemote Payloadmatched "raw.githubusercontent.com" · jolicode-castor-6fb32aa/tools/mkdocs/castor.php

Scanned versions

VersionVerdictScoreScanned (UTC)
v1.5.0Review232026-05-27

Block this in CI

PkgRadar gates jolicode/castor (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem composer jolicode/[email protected]
Start free — 25 scans / moView full evidence