PkgRadar

npm · registry.npmjs.org

mcp-state-machine-test-framework

Remote Payload: matched "curl "

Why PkgRadar flagged 12.9.1

SeveritySignalEvidence
mediumRemote Payloadmatched "curl " · package/maps/web/api_multi_map.json
mediumObfuscation Densityhigh encoded/escaped-token density · package/new_project_demo/package-lock.json

Scanned versions

VersionVerdictScoreScanned (UTC)
12.9.1Review162026-05-27
12.9.2Review242026-05-27
12.7.4Review162026-05-25
12.7.2Review162026-05-25
12.7.3Review162026-05-25

Block this in CI

PkgRadar gates mcp-state-machine-test-framework (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence