Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@abraca/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@abraca/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "cUrl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 135 · status changed
Related candidates
Linked campaigns and clusters
rgby
4 members · evidence strength 84Evidence
Static findings
30 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/runtime/composables/useCommandPalette.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/runtime/composables/useDocImport.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/runtime/composables/useDocSlugs.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/runtime/composables/useFollowUser.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/runtime/composables/useIdentityDoc.js | matched "cUrl " | 12 |
Show all 30 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/runtime/composables/useCommandPalette.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/runtime/composables/useDocImport.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/runtime/composables/useDocSlugs.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/runtime/composables/useFollowUser.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/runtime/composables/useIdentityDoc.js | matched "cUrl " | 12 |
| low | Obfuscation | package/dist/runtime/server/plugins/abracadabra-service.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/runtime/utils/caretCoordinates.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/dist/runtime/utils/chatContent.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/runtime/server/utils/docCache.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/runtime/utils/duplicateDocContent.js | matched "\\u2192" | 3 |
| low | Obfuscation | package/dist/runtime/locale.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/runtime/utils/notificationRenderers.js | matched "\\xB7" | 3 |
| low | Obfuscation | package/dist/runtime/plugin-abracadabra.client.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/runtime/server/utils/schemaServerSupport.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/runtime/utils/schemaSupport.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/runtime/utils/slugify.js | matched "\\u0300" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useAbracadabraSchema.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useCalendarView.js | matched "\\u2013" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useChat.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useDevicePairing.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useDocExport.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useDocLabels.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useEditorSuggestions.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useNotifications.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/runtime/composables/usePluginCatalog.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useSheetsFormulas.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useSheetsView.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useVoice.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/runtime/composables/useWebRTC.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/module.mjs | matched "\\u2014" | 3 |
Manifest
Package metadata
Scripts13
devnpm run dev:prepare && nuxt dev playgrounddev:buildnuxt build playgrounddev:preparenuxt-module-build build --stub && nuxt-module-build prepare && nuxt prepare playgroundlinteslint .releasenpm run lint && npm run prepacktestvitest runtest:e2eplaywright testtest:e2e:headedplaywright test --headedtest:e2e:uiplaywright test --uitest:integrationvitest run --config test/integration/vitest.config.ts --reporter=verbosetest:typesvue-tsc --noEmit && cd playground && vue-tsc --noEmittest:unitvitest run --config test/unit/vitest.config.tstest:watchvitest watch
Dependencies4
@nuxt/kit^4.4.6@vueuse/core^14.3.0defu^6.1.7nanoevents^9.1.0