Package evidence
@cyclonedx/[email protected]
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 168,420Ubiquitous · −70% score
- Versions published
- 228Mature · −50% score
- First published
- Feb 2023
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@cyclonedx/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@cyclonedx/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 39 · status changed
Evidence
Static findings
12 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/lib/stages/postgen/auditBom.poku.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Webhook Exfil Endpoint | package/lib/stages/postgen/auditBom.poku.js | matched "ngrok-free.app" | 40 |
| high | Webhook Exfil Endpoint | package/lib/helpers/formulationParsers.poku.js | matched "ngrok-free.app" | 40 |
| high | Webhook Exfil Endpoint | package/lib/stages/postgen/postgen.poku.js | matched "ngrok-free.app" | 40 |
Show all 12 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/lib/stages/postgen/auditBom.poku.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Webhook Exfil Endpoint | package/lib/stages/postgen/auditBom.poku.js | matched "ngrok-free.app" | 40 |
| high | Webhook Exfil Endpoint | package/lib/helpers/formulationParsers.poku.js | matched "ngrok-free.app" | 40 |
| high | Webhook Exfil Endpoint | package/lib/stages/postgen/postgen.poku.js | matched "ngrok-free.app" | 40 |
| low | Credential file access | package/lib/stages/postgen/auditBom.poku.js | matched ".ssh/" | 5 |
| low | Credential file access | package/lib/managers/docker.poku.js | matched ".aws/" | 5 |
| low | Credential file access | package/lib/cli/index.js | matched ".npmrc" | 5 |
| low | Credential file access | package/lib/cli/index.poku.js | matched ".ssh/" | 5 |
| low | Credential file access | package/lib/helpers/osqueryTransform.poku.js | matched ".ssh/" | 5 |
| low | Credential file access | package/lib/helpers/utils.js | matched ".npmrc" | 5 |
| low | Credential file access | package/lib/helpers/utils.poku.js | matched ".ssh/" | 5 |
| low | Credential file access | package/data/crypto-oid.json | matched "ID_RSA" | 3 |
Manifest
Package metadata
Scripts8
gen-typespnpm exec tscinstall:frozenpnpm install --config.strict-dep-builds=true --frozen-lockfile --package-import-method copyinstall:prodpnpm install --config.strict-dep-builds=true --frozen-lockfile --package-import-method copy --prodlintbiome check --writelint:checkbiome checklint:errorsbiome check --diagnostic-level=errortestpokuwatchpoku --watch
Dependencies35
@babel/parser7.29.3@babel/traverse7.29.0@iarna/toml2.2.5@isaacs/string-locale-compare1.1.0@npmcli/fs5.0.0@npmcli/map-workspaces5.0.3@npmcli/name-from-folder4.0.0@npmcli/package-json7.0.5ajv8.20.0ajv-formats3.0.1bin-links6.0.2cheerio1.2.0common-ancestor-path1.0.1edn-data1.1.2glob13.0.6got14.6.6iconv-lite0.7.2json-stringify-nice1.1.4keyv5.6.0node-stream-zip1.15.0npm-package-arg13.0.2packageurl-js1.0.2parse-conflict-json5.0.1properties-reader3.0.1read-package-json-fast5.0.0semver7.8.1ssri13.0.1tar7.5.15treeverse3.0.0uuid14.0.0- …and 5 more.
Optional dependencies20
@appthreat/atom2.5.5@appthreat/atom-parsetools1.2.2@appthreat/cdx-proto2.0.1@bufbuild/protobuf2.12.0@cdxgen/cdx-hbom0.5.0@cdxgen/cdxgen-plugins-bin2.3.0@cdxgen/cdxgen-plugins-bin-darwin-amd642.3.0@cdxgen/cdxgen-plugins-bin-darwin-arm642.3.0@cdxgen/cdxgen-plugins-bin-linux-amd642.3.0@cdxgen/cdxgen-plugins-bin-linux-arm2.3.0@cdxgen/cdxgen-plugins-bin-linux-arm642.3.0@cdxgen/cdxgen-plugins-bin-linux-ppc642.3.0@cdxgen/cdxgen-plugins-bin-linuxmusl-amd642.3.0@cdxgen/cdxgen-plugins-bin-linuxmusl-arm642.3.0@cdxgen/cdxgen-plugins-bin-windows-amd642.3.0@cdxgen/cdxgen-plugins-bin-windows-arm642.3.0body-parser2.2.2compression1.8.1connect3.7.0jsonata2.2.1