Package evidence

@askexenow/[email protected]

Install Lifecycle Suppresses Failure: postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 8,124Niche · −30% score
Versions published: 354
First published: Apr 2026
Publisher: askexenow

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@askexenow/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@askexenow/[email protected]"],"fail_on":"high"}'

Publisheraskexenow

Artifact bytes878,509

Previous version0.9.140

Published2026-05-26T07:12:33.371Z

SHA-25681ae7c8cd2dd2529b87b2ead554542936c57b2d5a9e3711c9fba69118fad8c46

Why flagged

What the scanner saw

Install Lifecycle Suppresses Failure: postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

3d agoLast checked

highRisk

37Score

0.9.141Version

Status history (3 events)

available → available3d ago · risk high · score 37 · status available -> available, risk high -> high, score 54 -> 37
available → available14d ago · risk high · score 54 · status available -> available, risk high -> high, score 63 -> 54
new → available18d ago · risk high · score 63 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

askexenow

10 members · evidence strength 81

Evidence

Static findings

7 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Suppresses Failure	package.json	postinstall="node dist/bin/install.js --commands-only 2>/dev/null \|\| true"	20
medium	Remote Payload	package/dist/chunk-LCZRXRB7.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-MQB2BE3I.js	matched "api.telegram.org/bot"	12

Show all 7 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Suppresses Failure	package.json	postinstall="node dist/bin/install.js --commands-only 2>/dev/null \|\| true"	20
medium	Remote Payload	package/dist/chunk-LCZRXRB7.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-MQB2BE3I.js	matched "api.telegram.org/bot"	12
low	Messenger Bot Endpoint	package/dist/chunk-MQB2BE3I.js	matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)	5
low	Install-time lifecycle script	package.json	postinstall="node dist/bin/install.js --commands-only 2>/dev/null \|\| true"	5
low	Obfuscation Density	package/dist/exe-key-KHNNQGSZ.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/bin/exe-settings.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts10

benchmark:longmemevalnpx tsx tests/benchmarks/longmemeval.ts
buildtsup && mkdir -p dist-next/assets && cp src/assets/tmux.conf dist-next/assets/ && cp src/assets/ghostty.conf dist-next/assets/ && cp src/assets/statusline-command.sh dist-next/assets/ && cp src/bin/exe-start.sh dist-next/bin/exe-start.sh && node dist-next/bin/generate-hook-manifest.js 2>/dev/null || true
deploynode dist/bin/pre-build-guard.js 2>/dev/null; npm run build && rm -rf dist-old && mv dist dist-old 2>/dev/null; mv dist-next dist && rm -rf dist-old & npm install -g . && node dist/bin/install.js --global && echo '[exe-os] Deploy complete. Run /mcp in active sessions to reconnect.'
linteslint src/ --max-warnings 53
postinstallnode dist/bin/install.js --commands-only 2>/dev/null || true
prepublishOnlynpm run typecheck && npm run build && node dist/bin/customer-readiness.js && node dist/bin/pre-publish.js
testvitest run
test:publishnpx vitest run --maxWorkers=4 --exclude 'tests/tui/**' --exclude 'tests/lib/tmux-routing.test.ts' --exclude 'tests/lib/intercom-routing.test.ts' --exclude 'tests/gateway/**' --exclude 'tests/installer/setup-wizard.test.ts' --exclude 'tests/mcp/ingest-document.test.ts' --exclude 'tests/lib/hybrid-search.test.ts' --exclude 'tests/lib/worker-gate.test.ts'
test:watchvitest
typechecktsc --noEmit

Dependencies25

@anthropic-ai/sdk^0.95.2
@aws-sdk/client-s3^3.1052.0
@aws-sdk/s3-request-presigner^3.1052.0
@libsql/client^0.14.0
@modelcontextprotocol/sdk^1.29.0
@opentelemetry/api^1.9.1
@opentelemetry/sdk-node^0.218.0
@opentelemetry/sdk-trace-base^2.7.0
@slack/bolt^4.7.0
@slack/web-api^7.15.1
@whiskeysockets/baileys^7.0.0-rc10
bip39^3.1.0
discord.js^14.26.3
grammy^1.42.0
ink^6.8.0
ink-text-input^6.0.0
jose^6.2.2
node-llama-cpp^3.18.0
nodemailer^8.0.5
openai^6.33.0
pg^8.20.0
react^19.2.4
ws^8.21.0
yjs^13.6.30
zod^4.3.6

Optional dependencies1

keytar^7.9.0