Package evidence
@askexenow/[email protected]
Install Lifecycle Suppresses Failure: postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 363
- First published
- Apr 2026
- Publisher
- askexenow
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@askexenow/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@askexenow/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Install Lifecycle Suppresses Failure: postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 169 · status changed
Evidence
Static findings
59 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true" | 20 |
| medium | Remote Payload | package/dist/chunk-6HTXA4IM.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-6L5DS7XO.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-CEPXBGAS.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/dist/chunk-G77I73CN.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-JEOFG274.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-L4WRH3DL.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/dist/chunk-RQI5TG5F.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-X33TSJNO.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/bin/deferred-daemon-restart.js | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/backup.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/setup.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/status.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/uptime-check.sh | matched "curl " | 12 |
Show all 59 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true" | 20 |
| medium | Remote Payload | package/dist/chunk-6HTXA4IM.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-6L5DS7XO.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-CEPXBGAS.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/dist/chunk-G77I73CN.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-JEOFG274.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-L4WRH3DL.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/dist/chunk-RQI5TG5F.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/chunk-X33TSJNO.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/bin/deferred-daemon-restart.js | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/backup.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/setup.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/status.sh | matched "curl " | 12 |
| medium | Remote Payload | package/deploy/compose/uptime-check.sh | matched "curl " | 12 |
| low | Credential file access | package/dist/chunk-3IM3JNQV.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-5TANMPI4.js | matched ".config/gcloud" | 5 |
| low | Messenger Bot Endpoint | package/dist/chunk-CEPXBGAS.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Credential file access | package/dist/chunk-DBJCWK6T.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-F7FZ24KM.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-FBRQGHSU.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-FS7G6NJD.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-JJ4VDZ5E.js | matched ".config/gcloud" | 5 |
| low | Messenger Bot Endpoint | package/dist/chunk-L4WRH3DL.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Credential file access | package/dist/chunk-PD2LUPHD.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-RDGF4T5S.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-UQ27GW5L.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-VKCUSNJW.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-VXODHQXB.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-XNRJ5JHU.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-XSRBNOLY.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-Y25OJWOQ.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/dist/chunk-YBF67NNY.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/dist/chunk-YNJPRQ6J.js | matched ".config/gcloud" | 5 |
| low | Credential file access | package/deploy/compose/backup.sh | matched "AWS_ACCESS_KEY" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node dist/bin/install.js --commands-only 2>/dev/null || true" | 5 |
| low | Obfuscation Density | package/dist/chunk-5SDX3UAG.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/chunk-6WKV4F6L.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/chunk-7HUGVJHW.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/chunk-7OEUOJL5.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/chunk-DPFGT2T5.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/chunk-PNWAZ4EA.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/chunk-YYO5RQRT.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-6FPQHBW6.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-6JHEINOM.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-7XX4OUXD.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-BQVOD3YE.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-H45JY44F.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-HFQH2DSQ.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-HXOWRGJT.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-JS7OSDJP.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-K3HQLUYO.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-MAEQGTB7.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-MLC7AKR4.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-N3XYSEXP.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-Q3ZNYT6L.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-Q47RPB45.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-RIRPIFK6.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/exe-key-WR6QEHYO.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/bin/exe-settings.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts13
benchmark:longmemevalnpx tsx tests/benchmarks/longmemeval.tsbuildtsup && mkdir -p dist/assets && cp src/assets/tmux.conf dist/assets/ && cp src/assets/ghostty.conf dist/assets/ && cp src/assets/statusline-command.sh dist/assets/ && cp src/assets/wezterm.lua dist/assets/ && cp src/bin/exe-start.sh dist/bin/exe-start.sh && node dist/bin/generate-hook-manifest.js 2>/dev/null || truedeploynode dist/bin/pre-build-guard.js 2>/dev/null; npm run build && npm install -g . && node dist/bin/install.js --global && echo '[exe-os] Deploy complete. Run /mcp in active sessions to reconnect.'guard:esm-requirenode scripts/check-no-runtime-require.mjslinteslint src/ --max-warnings 53postinstallnode dist/bin/install.js --commands-only 2>/dev/null || trueprepublishOnlynpm run typecheck && npm run build && npm run guard:esm-require && node dist/bin/customer-readiness.js && node dist/bin/pre-publish.jstestvitest runtest:daemon-smokevitest run --maxWorkers=1 tests/smoke/daemon-smoke-gate.test.tstest:publishnpx vitest run --maxWorkers=4 --exclude 'tests/tui/**' --exclude 'tests/lib/tmux-routing.test.ts' --exclude 'tests/lib/intercom-routing.test.ts' --exclude 'tests/gateway/**' --exclude 'tests/installer/setup-wizard.test.ts' --exclude 'tests/mcp/ingest-document.test.ts' --exclude 'tests/lib/hybrid-search.test.ts' --exclude 'tests/lib/worker-gate.test.ts' --exclude 'tests/lib/gateway-client.test.ts' --exclude 'tests/daemon-perf-stress.test.ts' && echo '::warning::gateway-client suite quarantined in CI — passes via SSH on the same box, fails deterministically in the Actions job env. Tracked bug: see .exe-os bug-reports 2026-06-10 gateway-client-ws-tests. Runs in local dev + pre-publish.' && npx vitest run --maxWorkers=1 tests/daemon-perf-stress.test.tstest:stack-simnode scripts/stack-sim.mjstest:watchvitesttypechecktsc --noEmit
Dependencies26
@anthropic-ai/sdk^0.95.2@aws-sdk/client-s3^3.1052.0@aws-sdk/s3-request-presigner^3.1052.0@libsql/client^0.14.0@modelcontextprotocol/sdk^1.29.0@opentelemetry/api^1.9.1@opentelemetry/sdk-node^0.218.0@opentelemetry/sdk-trace-base^2.7.0@slack/bolt^4.7.0@slack/web-api^7.15.1@whiskeysockets/baileys^7.0.0-rc10bip39^3.1.0discord.js^14.26.3grammy^1.42.0ink^6.8.0ink-text-input^6.0.0jose^6.2.2node-llama-cpp^3.18.1nodemailer^8.0.5openai^6.33.0pg^8.20.0react^19.2.4typescript^5.9.3ws^8.21.0yjs^13.6.30zod^4.3.6
Optional dependencies1
keytar^7.9.0