PkgRadar

Package evidence

@aitlabs/[email protected]

Remote Dependency Spec: dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
2
First published
Jun 2026
Publisher
araywhere

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@aitlabs/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@aitlabs/[email protected]"],"fail_on":"high"}'
Publisheraraywhere
Artifact bytes494,613
Previous version0.0.92
Published2026-06-05T13:09:38.340Z
SHA-256f85ee4b60b21c0b365d1547298f4419a514c6d5da2d55c3e11b9574577972e73

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"

1 candidate cluster(s) currently reference this release. 1 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
12Score
0.0.103Version
Status history (1 event)
  1. newavailable · risk high · score 12 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPactive

Remote Dependency Spec — dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"

150 members · evidence strength 80
Repeated static TTPcandidate

Remote Dependency Spec — dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"

150 members · max score 52

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highRemote Dependency Specpackage.jsondependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"12

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
dependencies.xlsxhttps://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgzlow0no remote findings

Manifest

Package metadata

Scripts18
  • auth:generateauth generate --output src/auth/schema.ts --config src/auth/better-auth.ts --yes
  • buildbun build src/index.ts --target bun --outdir ./.output/
  • build:typestsgo -p tsconfig.eden.json && echo 'Eden build done.'
  • db:generatedrizzle-kit generate
  • db:migratedrizzle-kit migrate
  • db:pushdrizzle-kit push
  • db:seedbun src/db/seed.ts
  • db:seed:resetbun src/db/seed.ts reset
  • db:startdocker compose up -d db
  • db:studiodrizzle-kit studio
  • deploy:packbun deploy-pack.ts
  • devbun --watch src/index.ts
  • fmtoxfmt
  • preparehusky || true
  • prepublishOnlybun run build && bun build:types
  • releasebun pm version patch && bun publish
  • startNODE_ENV=production POSTGRES_PORT=5442 bun dist/index.js
  • typechecktsgo --noEmit
Dependencies18
  • @better-auth/i18n1.6.9
  • @date-fns/tz1.4.1
  • @date-fns/utc2.1.1
  • @elysiajs/cors1.4.2
  • @elysiajs/openapi1.4.15
  • @paralleldrive/cuid23.3.0
  • @sinclair/typebox0.34.49
  • better-auth1.6.9
  • date-fns4.1.0
  • decimal.js10.6.0
  • drizzle-orm0.45.2
  • drizzle-seed0.3.1
  • drizzle-typebox0.3.3
  • elysia1.4.28
  • nanoid5.1.11
  • nodemailer8.0.7
  • postgres3.4.9
  • xlsxhttps://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz