PkgRadar

npm · registry.npmjs.org

esm.sh

Remote Payload: matched "github.com/esm-dev/esm.sh/releases/download"

Why PkgRadar flagged 0.1.1

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspostinstall added in 0.1.1 vs 0.0.6: "node install.mjs" · package.json
mediumRemote Payloadmatched "github.com/esm-dev/esm.sh/releases/download" · package/install.mjs
mediumRemote Payloadmatched "github.com/esm-dev/esm.sh/releases/download" · package/bin/esm.sh

Scanned versions

VersionVerdictScoreScanned (UTC)
0.136.0Review142026-06-11
0.136.0-beta.10Review82026-06-11
0.136.0-beta.9Review82026-06-11
0.1.1High risk692026-06-11

Block this in CI

PkgRadar gates esm.sh (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence