PkgRadar

npm · registry.npmjs.org

@clagentic/console

Remote Payload: matched "curl "

Why PkgRadar flagged 1.4.1

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspostinstall added in 1.4.1 vs 1.4.0: "node scripts/postinstall.js" · package.json
mediumRemote Payloadmatched "curl " · package/lib/os-users.js
mediumRemote Payloadmatched "raw.githubusercontent.com" · package/lib/project-http.js

Scanned versions

VersionVerdictScoreScanned (UTC)
1.5.0-beta.2Review102026-06-12
1.5.0-beta.1Review102026-06-11
1.4.1High risk742026-06-10
1.4.0Review82026-06-06
1.4.0-beta.3Review82026-06-05
1.4.0-beta.2Review82026-05-31
1.4.0-beta.1Review82026-05-31
1.3.0Review82026-05-29
1.3.1-beta.1Review82026-05-29
1.3.0-beta.1Review82026-05-29
1.3.0-beta.2Review82026-05-29
1.2.0Review272026-05-26
1.2.1-beta.1Review272026-05-26

Campaign attribution

Part of the asteroiddao npm campaign campaign.

Block this in CI

PkgRadar gates @clagentic/console (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @clagentic/[email protected]
Start free — 25 scans / moView full evidence