PkgRadar

Package evidence

@botcoinmoney/[email protected]

Suspicious Publish Context: {"package_age_days":1,"publisher":"botcoinmoney","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
135
Versions published
3
First published
Jun 2026
Publisher
botcoinmoney

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@botcoinmoney/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@botcoinmoney/[email protected]"],"fail_on":"review"}'
Publisherbotcoinmoney
Artifact bytes959,386
Previous version0.7.1
Published2026-06-16T22:03:50.652Z
SHA-256ed6c493089ca519941248aa5aea2de1e7ebf406129e36958fef5dc8f1e496af7

Why flagged

What the scanner saw

Suspicious Publish Context: {"package_age_days":1,"publisher":"botcoinmoney","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
0.7.2Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumSuspicious Publish Contextmanifest{"package_age_days":1,"publisher":"botcoinmoney","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}10

Manifest

Package metadata

Scripts10
  • buildtsc -p tsconfig.json
  • cleanrm -rf dist tsconfig.tsbuildinfo
  • pack:checknpm pack --dry-run
  • prebuildnpm run clean
  • prepacknpm run build
  • sync:from-coretexnode tooling/sync-from-coretex.mjs
  • testnpm run test:unit
  • test:unitnode --test --test-concurrency=1 --test-reporter=spec ./test/unit/base-blockhash.test.mjs ./test/unit/bundle-base-rpc-config.test.mjs ./test/unit/bundle-client-version-policy.test.mjs ./test/unit/bundle-h1-h2-fields.test.mjs ./test/unit/bundle.test.mjs ./test/unit/canonical-json.test.mjs ./test/unit/codec.test.mjs ./test/unit/coretex-registry-replay.test.mjs ./test/unit/coordinator-contract.test.mjs ./test/unit/corpus-root-cache.test.mjs ./test/unit/corpus-serializer-roundtrip.test.mjs ./test/unit/epoch-rotation.test.mjs ./test/unit/eval-report-artifact.test.mjs ./test/unit/merkle.test.mjs ./test/unit/patch.test.mjs ./test/unit/qwen-prompt-template-golden.test.mjs ./test/unit/reducer.test.mjs ./test/unit/replay-cli.test.mjs ./test/unit/replay-v4.test.mjs ./test/unit/reranker-input-cap.test.mjs ./test/unit/reranker-length-bucketing-order.test.mjs ./test/unit/reranker-script-resolution.test.mjs ./test/unit/retrieval-decoder.test.mjs ./test/unit/rpc-fetch-target.test.mjs ./test/unit/seed-derivation-golden.test.mjs ./test/unit/seed-derivation.test.mjs ./test/unit/slot-policy.test.mjs ./test/unit/state-root-vectors.test.mjs ./test/unit/validate.test.mjs ./test/unit/client-package-fresh-install.test.mjs ./test/unit/client-reranker-fail-closed.test.mjs ./test/unit/client-runtime.test.mjs ./test/unit/client-setup-cli.test.mjs ./test/unit/client-sync-atomicity.test.mjs ./test/unit/client-sync-backlog-drain.test.mjs ./test/unit/client-sync-corpus-autoresolve.test.mjs ./test/unit/client-sync-defaults.test.mjs ./test/unit/client-sync-hardening.test.mjs ./test/unit/client-sync.test.mjs ./test/unit/launch-recovery-pin.test.mjs ./test/unit/workers.test.mjs
  • typechecktsc -p tsconfig.json --noEmit
  • version:checknode scripts/check-release-version.mjs
Optional dependencies1
  • @huggingface/transformers^4.1.0