Package evidence

@a-company/[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 666
Versions published: 102
First published: Feb 2026
Publisher: ascend42

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@a-company/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@a-company/[email protected]"],"fail_on":"review"}'

Publisherascend42

Artifact bytes2,257,753

Previous version6.6.3

Published2026-06-01T10:29:02.253Z

SHA-25627f50639feab312099266b4f8af74c6a914d1a9728ef7983fb498bf77d0888a1

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

12d agoLast checked

reviewRisk

12Score

6.6.6Version

Status history (1 event)

new → available12d ago · risk review · score 12 · status changed

Evidence

Static findings

7 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/chunk-Y4XFVDZC.js	matched "raw.githubusercontent.com"	12

Show all 7 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/chunk-Y4XFVDZC.js	matched "raw.githubusercontent.com"	12
low	Obfuscation Density	package/dist/agent-MB3H5EZA.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/chunk-QDP4G53M.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/chunk-S3UVQ5RV.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/chunk-XKNJSPB5.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/shift-TNA2E5O7.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/triage-FCWOZASE.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts13

buildnode scripts/generate-hooks.mjs && tsup && npm run build:sentinel-assets && npm run build:university-assets
build:graph-uicd graph-ui && npx vite build
build:lore-uicd lore-ui && npx vite build
build:platform-uicd platform-ui && npx vite build
build:sentinel-assetsrm -rf dist/sentinel-ui && cp -r ../sentinel/ui/dist dist/sentinel-ui
build:university-assetsrm -rf dist/university-ui dist/university-content && cp -r ../university/ui/dist dist/university-ui && cp -r ../university/src/content dist/university-content
check:hooksnode scripts/generate-hooks.mjs --check
devtsup src/index.ts --format esm --dts --watch
linteslint src/commands/
prepublishOnlynpm run build
testvitest run
test:watchvitest
typechecktsc --noEmit

Dependencies17

@a-company/portal-core*
@a-company/registry-client^0.1.0
@a-company/university-core*
@modelcontextprotocol/sdk^1.0.0
chalk^5.3.0
commander^11.1.0
express^5.2.1
glob^13.0.0
js-yaml^4.1.0
open^10.0.3
ora^8.0.1
prompts^2.4.2
simple-git^3.22.0
sql.js^1.10.3
uuid^9.0.0
ws^8.19.0
zod^3.23.0