PkgRadar

Package evidence

@adcp/[email protected]

DNS / OAST exfiltration: matched "dns.lookup"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
6,408Niche · −30% score
Versions published
60
First published
Apr 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@adcp/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@adcp/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes14,537,975
Previous version8.1.0-beta.14
Published2026-05-28T13:40:32.388Z
SHA-256b8c471787fcc5641cabcd3b6673444aa44b4ad8153aa931bf5608c4e8bf3ab34

Why flagged

What the scanner saw

DNS / OAST exfiltration: matched "dns.lookup"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
8.1.0-beta.15Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highDNS / OAST exfiltrationpackage/dist/lib/server/pin-and-bind-fetch.jsmatched "dns.lookup"30
highDNS / OAST exfiltrationpackage/dist/lib/testing/storyboard/request-signing/probe.jsmatched "dns.lookup"30
highDNS / OAST exfiltrationpackage/dist/lib/net/ssrf-fetch.jsmatched "dns.lookup"30
highDNS / OAST exfiltrationpackage/dist/lib/substitution/observer/SubstitutionObserver.jsmatched "dns.lookup"30

Manifest

Package metadata

Scripts82
  • buildnpm run build:lib
  • build:libnpm run sync-version && npm run schemas:ensure && tsx scripts/generate-wire-spec-fields.ts && tsc --project tsconfig.lib.json && tsx scripts/copy-schemas-to-dist.ts && tsx scripts/copy-v2-projection-catalog.ts && tsx scripts/generate-per-tool-types.ts
  • build:test-agentsnpm run build:lib && tsc -p test-agents/tsconfig.json --rootDir test-agents
  • changesetchangeset
  • check:adopter-typestsx scripts/check-adopter-types.ts
  • check:adopter-types-narrowtsx scripts/check-adopter-types-narrow.ts
  • check:skill-synctsx scripts/check-skill-sync.ts
  • ci:codegen-stricttsx scripts/check-no-loose-oneof.ts
  • ci:doc-linkstsx scripts/check-doc-links.ts
  • ci:docs-checknpm run generate-agent-docs && git diff --exit-code -I '> Generated at:' -I '> (Library: )?@adcp/sdk v' docs/llms.txt docs/TYPE-SUMMARY.md || (echo '⚠️ Agent docs are out of sync. Run: npm run generate-agent-docs' && exit 1)
  • ci:pre-pushnpm run ci:schema-check && npm run ci:codegen-strict && npm run ci:quick
  • ci:quicknpm run format:check && npm run typecheck && npm run build:lib && npm test
  • ci:schema-checknpm run sync-schemas && npm run generate-types && npm run generate-registry-types && git diff --exit-code -I '// Generated at:' src/lib/types/ src/lib/agents/ src/lib/registry/types.generated.ts schemas/registry/registry.yaml || (echo '⚠️ Generated files are out of sync. Run: npm run sync-schemas && npm run generate-types && npm run generate-registry-types' && exit 1)
  • ci:validatenode scripts/ci-validate.js
  • cleanrm -rf dist/
  • compliance:fork-matrixnode --test --test-timeout=300000 'test/examples/hello-*.test.js' test/examples/proxy-seller-snap.test.js
  • docstypedoc
  • docs:openopen docs/api/index.html || xdg-open docs/api/index.html || start docs/api/index.html
  • docs:servenpx http-server docs -p 4000 -o
  • docs:watchtypedoc --watch
  • formatprettier --write "./**/*.{css,html,js,ts,tsx,json}"
  • format:checkprettier --check "./**/*.{css,html,js,ts,tsx,json}"
  • generate-agent-docstsx scripts/generate-agent-docs.ts
  • generate-entity-hydrationtsx scripts/generate-entity-hydration.ts
  • generate-enum-arraystsx scripts/generate-enum-arrays.ts
  • generate-inline-enum-arraystsx scripts/generate-inline-enum-arrays.ts
  • generate-manifest-derivedtsx scripts/generate-manifest-derived.ts
  • generate-registry-typestsx scripts/generate-registry-types.ts
  • generate-typestsx scripts/generate-types.ts && tsx scripts/generate-enum-arrays.ts && tsx scripts/generate-manifest-derived.ts && tsx scripts/generate-entity-hydration.ts
  • generate-types:3.1-betatsx scripts/generate-3-1-beta-types.ts
  • …and 52 more.
Dependencies11
  • @types/ws^8.18.1
  • ajv^8.18.0
  • ajv-formats^3.0.1
  • fast-check^3.23.2
  • jose^6.2.2
  • secure-json-parse^4.1.0
  • structured-headers^2.0.2
  • tldts^7.0.29
  • undici^6.25.0
  • ws^8.20.0
  • yaml^2.7.1