npm · registry.npmjs.org
@psnext/slingcli
Remote Payload: matched "github.com/repos/${t}/releases/latest`,{headers:{\"User-Agent\":`${Pt}-coding-agent`},signal:AbortSignal.timeout(V3)});if(!e.ok)throw new Error(`GitHub API error: ${e.status}`);return(await e.json()).tag_name.replace(/^v/,\"\")}async function e4(t,e){let n=await fetch(t,{signal:AbortSignal.timeout(J3)});if(!n.ok)throw new Error(`Failed to download: ${n.status}`);if(!n.body)throw new Error(\"No response body\");let i=j3(e);await z3(H3.fromWeb(n.body),i)}function t4(t,e){let n=[t];for(;n.length>0;){let i=n.pop();if(!i)continue;let s=q3(i,{withFileTypes:!0});for(let o of s){let r=Ni(i,o.name);if(o.isFile()&&o.name===e)return r;o.isDirectory()&&n.push(r)}}return null}function n4(t){if(t.error?.message)return t.error.message;let e=t.stderr?.toString().trim();if(e)return e;let n=t.stdout?.toString().trim();return n||`exit status ${t.status??\"unknown\"}`}function _l(t,e){let n=Zk(t,e,{stdio:\"pipe\"});return!n.error&&n.status===0?null:`${t}: ${n4(n)}`}function i4(t,e,n){let i=_l(\"tar\",[\"xzf\",t,\"-C\",e]);if(i)throw new Error(`Failed to extract ${n}: ${i}`)}function s4(){let t=process.env.SystemRoot??process.env.WINDIR;if(t){let e=Ni(t,\"System32\",\"tar.exe\");if(u0(e))return e}return\"tar.exe\"}function o4(t,e,n){let i=[];if(kp()===\"win32\"){let s=_l(s4(),[\"xf\",t,\"-C\",e]);if(!s)return;i.push(s);let r=_l(\"powershell.exe\",[\"-NoLogo\",\"-NoProfile\",\"-NonInteractive\",\"-ExecutionPolicy\",\"Bypass\",\"-Command\",\"& { param($archive, $destination) $ErrorActionPreference = 'Stop'; Expand-Archive -LiteralPath $archive -DestinationPath $destination -Force }\",t,e]);if(!r)return;i.push(r)}else{let s=_l(\"unzip\",[\"-q\",t,\"-d\",e]);if(!s)return;i.push(s);let o=_l(\"tar\",[\"xf\",t,\"-C\",e]);if(!o)return;i.push(o)}throw new Error(`Failed to extract ${n}: ${i.join(\"; \")}`)}async function r4(t){let e=d0[t];if(!e)throw new Error(`Unknown tool: ${t}`);let n=kp(),i=K3(),s=await Z3(e.repo);t===\"fd\"&&n===\"darwin\"&&i===\"x64\"&&(s=\"10.3.0\");let o=e.getAssetName(s,n,i);if(!o)throw new Error(`Unsupported platform: ${n}/${i}`);Yk(Pl,{recursive:!0});let r=`https://github.com/${e.repo}/releases/download"
Why PkgRadar flagged 2.5.20260607-2
| Severity | Signal | Evidence |
|---|---|---|
| medium | Remote Payload | matched "github.com/repos/${t}/releases/latest`,{headers:{\"User-Agent\":`${Pt}-coding-agent`},signal:AbortSignal.timeout(V3)});if(!e.ok)throw new Error(`GitHub API error: ${e.status}`);return(await e.json()).tag_name.replace(/^v/,\"\")}async function e4(t,e){let n=await fetch(t,{signal:AbortSignal.timeout(J3)});if(!n.ok)throw new Error(`Failed to download: ${n.status}`);if(!n.body)throw new Error(\"No response body\");let i=j3(e);await z3(H3.fromWeb(n.body),i)}function t4(t,e){let n=[t];for(;n.length>0;){let i=n.pop();if(!i)continue;let s=q3(i,{withFileTypes:!0});for(let o of s){let r=Ni(i,o.name);if(o.isFile()&&o.name===e)return r;o.isDirectory()&&n.push(r)}}return null}function n4(t){if(t.error?.message)return t.error.message;let e=t.stderr?.toString().trim();if(e)return e;let n=t.stdout?.toString().trim();return n||`exit status ${t.status??\"unknown\"}`}function _l(t,e){let n=Zk(t,e,{stdio:\"pipe\"});return!n.error&&n.status===0?null:`${t}: ${n4(n)}`}function i4(t,e,n){let i=_l(\"tar\",[\"xzf\",t,\"-C\",e]);if(i)throw new Error(`Failed to extract ${n}: ${i}`)}function s4(){let t=process.env.SystemRoot??process.env.WINDIR;if(t){let e=Ni(t,\"System32\",\"tar.exe\");if(u0(e))return e}return\"tar.exe\"}function o4(t,e,n){let i=[];if(kp()===\"win32\"){let s=_l(s4(),[\"xf\",t,\"-C\",e]);if(!s)return;i.push(s);let r=_l(\"powershell.exe\",[\"-NoLogo\",\"-NoProfile\",\"-NonInteractive\",\"-ExecutionPolicy\",\"Bypass\",\"-Command\",\"& { param($archive, $destination) $ErrorActionPreference = 'Stop'; Expand-Archive -LiteralPath $archive -DestinationPath $destination -Force }\",t,e]);if(!r)return;i.push(r)}else{let s=_l(\"unzip\",[\"-q\",t,\"-d\",e]);if(!s)return;i.push(s);let o=_l(\"tar\",[\"xf\",t,\"-C\",e]);if(!o)return;i.push(o)}throw new Error(`Failed to extract ${n}: ${i.join(\"; \")}`)}async function r4(t){let e=d0[t];if(!e)throw new Error(`Unknown tool: ${t}`);let n=kp(),i=K3(),s=await Z3(e.repo);t===\"fd\"&&n===\"darwin\"&&i===\"x64\"&&(s=\"10.3.0\");let o=e.getAssetName(s,n,i);if(!o)throw new Error(`Unsupported platform: ${n}/${i}`);Yk(Pl,{recursive:!0});let r=`https://github.com/${e.repo}/releases/download" · package/slingshot/index.js |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/bin/sling.js |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
2.5.20260607-2 | Review | 66 | 2026-06-07 |
2.5.20260607-1 | Review | 66 | 2026-06-07 |
2.5.20260602-4 | Review | 66 | 2026-06-02 |
2.5.20260602-3 | Review | 58 | 2026-06-02 |
2.5.20260602-2 | Review | 58 | 2026-06-02 |
2.5.20260602-1 | Review | 58 | 2026-06-02 |
2.4.20260601-1 | Review | 65 | 2026-06-01 |
2.4.20260528-1 | Review | 73 | 2026-05-28 |
2.4.20260527-2 | Review | 86 | 2026-05-27 |
2.4.20260527-3 | Review | 86 | 2026-05-27 |
2.4.20260526-1 | Review | 86 | 2026-05-26 |
2.4.20260525-4 | Review | 86 | 2026-05-25 |
2.4.20260525-3 | Review | 124 | 2026-05-25 |
2.4.20260525-2 | Review | 184 | 2026-05-25 |
2.4.20260525-1 | Review | 200 | 2026-05-24 |
2.4.20260523-2 | Review | 200 | 2026-05-24 |
2.4.20260523-3 | Review | 200 | 2026-05-24 |
Block this in CI
pkgradar gate --ecosystem npm @psnext/[email protected]