npm · registry.npmjs.org

pmx-canvas

Remote Payload: matched "curl "

Why PkgRadar flagged 0.1.22

Severity	Signal	Evidence
medium	Remote Payload	matched "curl " · package/skills/published-consumer-e2e/scripts/run-published-consumer-e2e.sh
medium	Remote Payload	matched "cUrl " · package/src/server/server.ts

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.1.36`	Low risk	0	2026-06-09
`0.1.35`	Low risk	0	2026-06-08
`0.1.34`	Low risk	0	2026-06-08
`0.1.33`	Low risk	0	2026-06-08
`0.1.32`	Low risk	0	2026-06-07
`0.1.31`	Low risk	0	2026-06-07
`0.1.30`	Low risk	0	2026-06-07
`0.1.29`	Low risk	0	2026-06-06
`0.1.28`	Low risk	0	2026-06-06
`0.1.27`	Low risk	0	2026-06-06
`0.1.26`	Low risk	0	2026-06-03
`0.1.25`	Low risk	0	2026-06-03
`0.1.24`	Low risk	0	2026-06-03
`0.1.22`	Review	24	2026-05-25
`0.1.23`	Review	24	2026-05-25

Block this in CI

PkgRadar gates pmx-canvas (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]