PkgRadar

Package evidence

@mneme-ai/[email protected]

Shipped Live Secret, Js Decode Then Exec, Reverse Shell +3 more

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
11,874Mainstream · −50% score
Versions published
733
First published
May 2026
Publisher
mneme_npm

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mneme-ai/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mneme-ai/[email protected]"],"fail_on":"high"}'
Publishermneme_npm
Artifact bytes8,117,298
Previous version3.152.0
Published2026-06-25T05:42:07.707Z
SHA-256d7b71c7b9f9fb609a28f2e35eb6e34b9a3ec9f684b8e6d3d25aa87a1957c7a32

Why flagged

What the scanner saw

Shipped Live Secret

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
186Score
3.153.0Version
Status history (1 event)
  1. newavailable · risk high · score 186 · status changed

Evidence

Static findings

39 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highJs Decode Then Execmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highReverse Shellmanifest40
highReverse Shellmanifest40
highLlm Injection Payloadmanifest40
highLlm Injection Payloadmanifest40
mediumTls Verification Disabledmanifest12
Show all 39 findings (low-signal and informational)
SeverityKindPathDetailPoints
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highJs Decode Then Execmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highShipped Live Secretmanifest45
highReverse Shellmanifest40
highReverse Shellmanifest40
highLlm Injection Payloadmanifest40
highLlm Injection Payloadmanifest40
mediumTls Verification Disabledmanifest12
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5

Manifest

Package metadata

Dependencies3
  • typescript^5.6.3
  • yaml^2.6.1
  • zod^3.23.8
Optional dependencies1
  • z3-solver^4.16.0