npm · registry.npmjs.org

agent-threat-rules

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Why PkgRadar flagged 3.4.0

Severity	Signal	Evidence
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/dist/eval/corpus.js
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/dist/eval/rule-corpus.js
high	Known Indicator Filename	package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml · package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`3.4.0`	High risk	195	2026-06-15
`3.0.5`	High risk	266	2026-06-13
`3.3.1`	High risk	192	2026-06-11
`3.3.0`	High risk	192	2026-06-11
`3.2.0`	High risk	189	2026-06-10
`3.1.1`	High risk	189	2026-06-10
`3.1.0`	High risk	189	2026-06-10
`2.2.1`	Review	132	2026-05-29

Block this in CI

PkgRadar gates agent-threat-rules (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]

Start free — 25 scans / mo View full evidence