Package evidence
@askexenow/[email protected]
Install Lifecycle Suppresses Failure: postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 9,282Niche · −30% score
- Versions published
- 363
- First published
- Apr 2026
- Publisher
- askexenow
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@askexenow/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@askexenow/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Install Lifecycle Suppresses Failure: postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (3 events)
- available → available · risk high · score 64 · status available -> available, risk high -> high, score 92 -> 64
- available → available · risk high · score 92 · status available -> available, risk high -> high, score 64 -> 92
- new → available · risk high · score 64 · status changed
Related candidates
Linked campaigns and clusters
askexenow
10 members · evidence strength 81Evidence
Static findings
11 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true" | 20 |
| medium | Remote Payload | package/dist/chunk-F7ITFLVR.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/dist/chunk-J73N5EJ6.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/bin/install.js | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/backup.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/setup.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/status.sh | matched "curl " | 12 |
Show all 11 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true" | 20 |
| medium | Remote Payload | package/dist/chunk-F7ITFLVR.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/dist/chunk-J73N5EJ6.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/bin/install.js | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/backup.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/setup.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/status.sh | matched "curl " | 12 |
| low | Messenger Bot Endpoint | package/dist/chunk-F7ITFLVR.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true" | 5 |
| low | Obfuscation Density | package/dist/exe-key-S3Q3Q2LE.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/bin/exe-settings.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts11
benchmark:longmemevalnpx tsx tests/benchmarks/longmemeval.tsbuildtsup && mkdir -p dist-next/assets && cp src/assets/tmux.conf dist-next/assets/ && cp src/assets/ghostty.conf dist-next/assets/ && cp src/assets/statusline-command.sh dist-next/assets/ && cp src/assets/wezterm.lua dist-next/assets/ && cp src/bin/exe-start.sh dist-next/bin/exe-start.sh && node dist-next/bin/generate-hook-manifest.js 2>/dev/null || truedeploynode dist/bin/pre-build-guard.js 2>/dev/null; npm run build && rm -rf dist-old && mv dist dist-old 2>/dev/null; mv dist-next dist && rm -rf dist-old & npm install -g . && node dist/bin/install.js --global && echo '[exe-os] Deploy complete. Run /mcp in active sessions to reconnect.'guard:esm-requirenode scripts/check-no-runtime-require.mjslinteslint src/ --max-warnings 53postinstallnode dist/bin/install.js --commands-only 2>/dev/null || trueprepublishOnlynpm run typecheck && npm run build && npm run guard:esm-require && node dist/bin/customer-readiness.js && node dist/bin/pre-publish.jstestvitest runtest:publishnpx vitest run --maxWorkers=4 --exclude 'tests/tui/**' --exclude 'tests/lib/tmux-routing.test.ts' --exclude 'tests/lib/intercom-routing.test.ts' --exclude 'tests/gateway/**' --exclude 'tests/installer/setup-wizard.test.ts' --exclude 'tests/mcp/ingest-document.test.ts' --exclude 'tests/lib/hybrid-search.test.ts' --exclude 'tests/lib/worker-gate.test.ts'test:watchvitesttypechecktsc --noEmit
Dependencies26
@anthropic-ai/sdk^0.95.2@aws-sdk/client-s3^3.1052.0@aws-sdk/s3-request-presigner^3.1052.0@libsql/client^0.14.0@modelcontextprotocol/sdk^1.29.0@opentelemetry/api^1.9.1@opentelemetry/sdk-node^0.218.0@opentelemetry/sdk-trace-base^2.7.0@slack/bolt^4.7.0@slack/web-api^7.15.1@whiskeysockets/baileys^7.0.0-rc10bip39^3.1.0discord.js^14.26.3grammy^1.42.0ink^6.8.0ink-text-input^6.0.0jose^6.2.2node-llama-cpp^3.18.0nodemailer^8.0.5openai^6.33.0pg^8.20.0react^19.2.4typescript^5.9.3ws^8.21.0yjs^13.6.30zod^4.3.6
Optional dependencies1
keytar^7.9.0