Package evidence

@askexenow/[email protected]

Install Lifecycle Suppresses Failure: postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 8,124Niche · −30% score
Versions published: 362
First published: Apr 2026
Publisher: askexenow

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@askexenow/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@askexenow/[email protected]"],"fail_on":"high"}'

Publisheraskexenow

Artifact bytes6,109,581

Previous version0.9.273

Published2026-06-11T15:11:34.866Z

SHA-256c8bbe47aaf862c5c9bdf1c99a74046327800d8a6e9f54846e472f9805a1cf461

Why flagged

What the scanner saw

Install Lifecycle Suppresses Failure: postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

47h agoLast checked

highRisk

106Score

0.9.274Version

Status history (1 event)

new → available47h ago · risk high · score 106 · status changed

Evidence

Static findings

50 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Suppresses Failure	package.json	postinstall="node dist/bin/install.js --commands-only 2>/dev/null \|\| true"	20
medium	Remote Payload	package/dist/chunk-6HTXA4IM.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-6L5DS7XO.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-JEOFG274.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-L4WRH3DL.js	matched "api.telegram.org/bot"	12
medium	Remote Payload	package/dist/chunk-RQI5TG5F.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-X33TSJNO.js	matched "curl "	12
medium	Remote Payload	package/dist/bin/deferred-daemon-restart.js	matched "curl "	12
medium	Remote Payload	package/deploy/compose/backup.sh	matched "curl "	12
medium	Remote Payload	package/deploy/compose/setup.sh	matched "curl "	12
medium	Remote Payload	package/deploy/compose/status.sh	matched "curl "	12
medium	Remote Payload	package/deploy/compose/uptime-check.sh	matched "curl "	12

Show all 50 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Suppresses Failure	package.json	postinstall="node dist/bin/install.js --commands-only 2>/dev/null \|\| true"	20
medium	Remote Payload	package/dist/chunk-6HTXA4IM.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-6L5DS7XO.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-JEOFG274.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-L4WRH3DL.js	matched "api.telegram.org/bot"	12
medium	Remote Payload	package/dist/chunk-RQI5TG5F.js	matched "curl "	12
medium	Remote Payload	package/dist/chunk-X33TSJNO.js	matched "curl "	12
medium	Remote Payload	package/dist/bin/deferred-daemon-restart.js	matched "curl "	12
medium	Remote Payload	package/deploy/compose/backup.sh	matched "curl "	12
medium	Remote Payload	package/deploy/compose/setup.sh	matched "curl "	12
medium	Remote Payload	package/deploy/compose/status.sh	matched "curl "	12
medium	Remote Payload	package/deploy/compose/uptime-check.sh	matched "curl "	12
low	Credential file access	package/dist/chunk-3IM3JNQV.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-5TANMPI4.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-DBJCWK6T.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-F7FZ24KM.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-FBRQGHSU.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-FS7G6NJD.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-JJ4VDZ5E.js	matched ".config/gcloud"	5
low	Messenger Bot Endpoint	package/dist/chunk-L4WRH3DL.js	matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)	5
low	Credential file access	package/dist/chunk-PD2LUPHD.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-UQ27GW5L.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-VKCUSNJW.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-VXODHQXB.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-XNRJ5JHU.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-XSRBNOLY.js	matched ".config/gcloud"	5
low	Credential file access	package/dist/chunk-Y25OJWOQ.js	matched "aws_access_key"	5
low	Credential file access	package/dist/chunk-YNJPRQ6J.js	matched ".config/gcloud"	5
low	Credential file access	package/deploy/compose/backup.sh	matched "AWS_ACCESS_KEY"	5
low	Install-time lifecycle script	package.json	postinstall="node dist/bin/install.js --commands-only 2>/dev/null \|\| true"	5
low	Obfuscation Density	package/dist/chunk-6WKV4F6L.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/chunk-7HUGVJHW.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/chunk-7OEUOJL5.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/chunk-PNWAZ4EA.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/chunk-YYO5RQRT.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-6FPQHBW6.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-6JHEINOM.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-7XX4OUXD.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-BQVOD3YE.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-H45JY44F.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-HXOWRGJT.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-JS7OSDJP.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-K3HQLUYO.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-MAEQGTB7.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-N3XYSEXP.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-Q3ZNYT6L.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-Q47RPB45.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-RIRPIFK6.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/exe-key-WR6QEHYO.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/bin/exe-settings.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts12

benchmark:longmemevalnpx tsx tests/benchmarks/longmemeval.ts
buildtsup && mkdir -p dist/assets && cp src/assets/tmux.conf dist/assets/ && cp src/assets/ghostty.conf dist/assets/ && cp src/assets/statusline-command.sh dist/assets/ && cp src/assets/wezterm.lua dist/assets/ && cp src/bin/exe-start.sh dist/bin/exe-start.sh && node dist/bin/generate-hook-manifest.js 2>/dev/null || true
deploynode dist/bin/pre-build-guard.js 2>/dev/null; npm run build && npm install -g . && node dist/bin/install.js --global && echo '[exe-os] Deploy complete. Run /mcp in active sessions to reconnect.'
guard:esm-requirenode scripts/check-no-runtime-require.mjs
linteslint src/ --max-warnings 53
postinstallnode dist/bin/install.js --commands-only 2>/dev/null || true
prepublishOnlynpm run typecheck && npm run build && npm run guard:esm-require && node dist/bin/customer-readiness.js && node dist/bin/pre-publish.js
testvitest run
test:publishnpx vitest run --maxWorkers=4 --exclude 'tests/tui/**' --exclude 'tests/lib/tmux-routing.test.ts' --exclude 'tests/lib/intercom-routing.test.ts' --exclude 'tests/gateway/**' --exclude 'tests/installer/setup-wizard.test.ts' --exclude 'tests/mcp/ingest-document.test.ts' --exclude 'tests/lib/hybrid-search.test.ts' --exclude 'tests/lib/worker-gate.test.ts' --exclude 'tests/lib/gateway-client.test.ts' --exclude 'tests/daemon-perf-stress.test.ts' && echo '::warning::gateway-client suite quarantined in CI — passes via SSH on the same box, fails deterministically in the Actions job env. Tracked bug: see .exe-os bug-reports 2026-06-10 gateway-client-ws-tests. Runs in local dev + pre-publish.' && npx vitest run --maxWorkers=1 tests/daemon-perf-stress.test.ts
test:stack-simnode scripts/stack-sim.mjs
test:watchvitest
typechecktsc --noEmit

Dependencies26

@anthropic-ai/sdk^0.95.2
@aws-sdk/client-s3^3.1052.0
@aws-sdk/s3-request-presigner^3.1052.0
@libsql/client^0.14.0
@modelcontextprotocol/sdk^1.29.0
@opentelemetry/api^1.9.1
@opentelemetry/sdk-node^0.218.0
@opentelemetry/sdk-trace-base^2.7.0
@slack/bolt^4.7.0
@slack/web-api^7.15.1
@whiskeysockets/baileys^7.0.0-rc10
bip39^3.1.0
discord.js^14.26.3
grammy^1.42.0
ink^6.8.0
ink-text-input^6.0.0
jose^6.2.2
node-llama-cpp^3.18.0
nodemailer^8.0.5
openai^6.33.0
pg^8.20.0
react^19.2.4
typescript^5.9.3
ws^8.21.0
yjs^13.6.30
zod^4.3.6

Optional dependencies1

keytar^7.9.0