PkgRadar

npm · registry.npmjs.org

@bufferapp/publish

Remote Payload: matched "curl "

Why PkgRadar flagged 0.0.1

SeveritySignalEvidence
mediumRemote Payloadmatched "curl " · package/.travis.yml
mediumRemote Payloadmatched "github.com/bufferapp/buffer-static-upload/releases/download" · package/pre-build.sh
mediumObfuscation Densityhigh encoded/escaped-token density · package/packages/utils/twitter.text.js

Scanned versions

VersionVerdictScoreScanned (UTC)
0.0.1Review362026-05-27

Block this in CI

PkgRadar gates @bufferapp/publish (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @bufferapp/[email protected]
Start free — 25 scans / moView full evidence