npm · registry.npmjs.org

@haposoft/cafekit

Obfuscation Density: high encoded/escaped-token density

Why PkgRadar flagged 0.9.0

Severity	Signal	Evidence
medium	Obfuscation Density	high encoded/escaped-token density · package/src/claude/skills/chrome-devtools/scripts/package-lock.json
medium	Remote Payload	matched "wget " · package/src/claude/skills/chrome-devtools/scripts/install-deps.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.12.0`	Low risk	0	2026-06-16
`0.11.11`	Low risk	0	2026-06-09
`0.11.8`	Low risk	0	2026-06-09
`0.11.9`	Low risk	0	2026-06-03
`0.11.10`	Low risk	0	2026-06-03
`0.11.7`	Low risk	0	2026-06-03
`0.11.4`	Low risk	0	2026-06-03
`0.11.5`	Low risk	0	2026-06-03
`0.11.3`	Low risk	0	2026-06-03
`0.11.2`	Low risk	0	2026-06-02
`0.11.0`	Low risk	0	2026-06-02
`0.10.3`	Low risk	0	2026-06-01
`0.10.2`	Low risk	0	2026-06-01
`0.10.0`	Low risk	0	2026-06-01
`0.9.7`	Low risk	0	2026-06-01
`0.9.6`	Low risk	0	2026-06-01
`0.9.5`	Low risk	0	2026-06-01
`0.9.4`	Low risk	0	2026-06-01
`0.9.3`	Low risk	0	2026-05-29
`0.9.2`	Low risk	0	2026-05-28
`0.9.0`	Review	16	2026-05-27
`0.9.1`	Review	16	2026-05-27
`0.8.17`	Review	16	2026-05-26
`0.8.15`	Review	24	2026-05-25
`0.8.16`	Review	24	2026-05-25

Block this in CI

PkgRadar gates @haposoft/cafekit (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @haposoft/[email protected]