Package evidence

@automattic/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 647
Versions published: 530Mature · −50% score
First published: Aug 2021
Publisher: newspack-npm

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@automattic/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@automattic/[email protected]"],"fail_on":"review"}'

Publishernewspack-npm

Artifact bytes1,159,060

Previous version4.26.3

Published2026-05-21T18:06:23.814Z

SHA-256e2390c9ae15c2e2574133a1c41d38cd4bffcf973915ca0d88affe9b5b4129fbd

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

12d agoLast checked

reviewRisk

6Score

4.26.4-alpha.1Version

Status history (1 event)

new → available12d ago · risk review · score 6 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/bin/install-wp-tests.sh	matched "curl "	12

Manifest

Package metadata

Scripts21

buildnpm run clean && newspack-scripts wp-scripts build
cleanrm -rf dist
cmnewspack-scripts commit
fix:jsnewspack-scripts wp-scripts lint-js --fix '**/{src,includes}/**/*.{js,jsx,ts,tsx}'
fix:php./vendor/bin/phpcbf
format:jsnewspack-scripts wp-scripts format '**/{src,includes}/**/*.{js,jsx,ts,tsx}'
format:scssnewspack-scripts wp-scripts lint-style '**/{src,includes}/**/*.scss' --customSyntax postcss-scss --fix
i18nNODE_ENV=production npm run build; bash ./bin/update-translations.sh
lintnpm run lint:scss && npm run lint:js
lint:jsnewspack-scripts wp-scripts lint-js '**/{src,includes}/**/*.{js,jsx,ts,tsx}'
lint:js:stagednewspack-scripts wp-scripts lint-js --ext .js,.jsx,.ts,.tsx
lint:php./vendor/bin/phpcs
lint:php:staged./vendor/bin/phpcs --filter=GitStaged
lint:scssnewspack-scripts wp-scripts lint-style '**/{src,includes}/**/*.scss' --customSyntax postcss-scss
lint:scss:stagednewspack-scripts wp-scripts lint-style --customSyntax postcss-scss
releasenpm run build && npm run semantic-release
release:archiverm -rf release && mkdir -p release && rsync -r . ./release/newspack-blocks --exclude-from='./.distignore' && cd release && zip -r newspack-blocks.zip newspack-blocks
semantic-releasenewspack-scripts release --files=newspack-blocks.php
startnpm ci && npm run watch
testnewspack-scripts test
watchnpm run clean && newspack-scripts wp-scripts start

Dependencies7

classnames^2.5.1
newspack-colors^1.1.0
newspack-icons^1.0.5
redux^5.0.0
redux-saga^1.4.2
regenerator-runtime^0.14.1
swiper12.0.3