Package evidence

@bubblebrain-ai/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 12
First published: May 2026
Publisher: bubblebrain

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@bubblebrain-ai/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@bubblebrain-ai/[email protected]"],"fail_on":"review"}'

Publisherbubblebrain

Artifact bytes350,578

Previous version0.0.11

Published2026-05-25T07:36:08.835Z

SHA-25625b9be136cd426cde908492bf2b5229f236652df0d831401715aa177bbc73656

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

23d agoLast checked

reviewRisk

99Score

0.0.12Version

Status history (1 event)

new → available23d ago · risk review · score 99 · status changed

Evidence

Static findings

27 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/bin.js	matched "curl "	12
medium	Remote Payload	package/dist/approval/danger.js	matched "curl "	12

Show all 27 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/bin.js	matched "curl "	12
medium	Remote Payload	package/dist/approval/danger.js	matched "curl "	12
low	Obfuscation	package/dist/tui-ink/app.js	matched "\\x1b"	3
low	Obfuscation	package/dist/tui-ink/approval/approval-dialog.js	matched "\\u2191"	3
low	Obfuscation	package/dist/tui-ink/code-highlight.js	matched "\\x1b"	3
low	Obfuscation	package/dist/tui-ink/detect-theme.js	matched "\\x1b"	3
low	Obfuscation	package/dist/tui-ink/approval/diff-view.js	matched "\\u2026"	3
low	Obfuscation	package/dist/tools/edit-apply.js	matched "\\uFEFF"	3
low	Obfuscation	package/dist/tui-ink/feedback-dialog.js	matched "\\u00B7"	3
low	Obfuscation	package/dist/tui-ink/feishu-setup-picker.js	matched "\\u6B63"	3
low	Obfuscation	package/dist/tui-ink/footer.js	matched "\\u2022"	3
low	Obfuscation	package/dist/tui-ink/image-paste.js	matched "Buffer.from(att.base64, \"base64"	3
low	Obfuscation	package/dist/tui-ink/input-box.js	matched "\\x03"	3
low	Obfuscation	package/dist/tui-ink/message-list.js	matched "\\u26EC"	3
low	Obfuscation	package/dist/tui-ink/model-picker.js	matched "\\x1b"	3
low	Obfuscation	package/dist/oauth/openai-codex.js	matched "Buffer.from(parts[1], \"base64"	3
low	Obfuscation	package/dist/tui-ink/plan-confirm.js	matched "\\u00A0"	3
low	Obfuscation	package/dist/provider-openai-codex.js	matched "Buffer.from(parts[1], \"base64"	3
low	Obfuscation	package/dist/tui-ink/question-dialog.js	matched "\\u2191"	3
low	Obfuscation	package/dist/tui-ink/run.js	matched "\\x03"	3
low	Obfuscation	package/dist/feishu/secrets.js	matched "Buffer.from(record.salt, \"base64"	3
low	Obfuscation	package/dist/tui-ink/session-picker.js	matched "\\u2191"	3
low	Obfuscation	package/dist/tools/skill-search.js	matched "\\u3000"	3
low	Obfuscation	package/dist/tui-ink/terminal-mouse.js	matched "\\x1b"	3
low	Obfuscation	package/dist/tui-ink/todos.js	matched "\\u25CF"	3
low	Obfuscation	package/dist/context/usage.js	matched "\\u001b"	3
low	Obfuscation	package/dist/tui-ink/welcome.js	matched "\\u00B7"	3

Manifest

Package metadata

Scripts6

buildrm -rf dist && tsc && chmod +x dist/bin.js dist/main.js
devtsc && bun dist/main.js
prepacknpm run build
startbun dist/main.js
testvitest run
test:watchvitest

Dependencies18

@larksuiteoapi/node-sdk^1.65.0
@types/better-sqlite3^7.6.13
@types/react^19.2.14
@vue/language-server^3.2.7
better-sqlite3^12.9.0
chalk^5.3.0
diff^7.0.0
ink^7.0.3
js-tiktoken^1.0.21
openai^4.77.0
picomatch^4.0.4
qrcode-terminal^0.12.0
react^19.2.6
shiki^4.0.2
string-width^8.2.1
typescript-language-server^5.1.3
vscode-jsonrpc^8.2.1
vscode-langservers-extracted^4.10.0