PkgRadar

Package evidence

@daloyjs/[email protected]

DNS / OAST exfiltration: matched "dns.lookup"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,135Niche · −30% score
Versions published
42
First published
May 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@daloyjs/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@daloyjs/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes272,806
Previous version0.35.1
Published2026-05-28T08:15:30.880Z
SHA-256e121218e5e8fa077d22bb1f632e6af67604217d232766f793f390a4793191455

Why flagged

What the scanner saw

DNS / OAST exfiltration: matched "dns.lookup"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
9Score
0.35.2Version
Status history (1 event)
  1. newavailable · risk review · score 9 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highDNS / OAST exfiltrationpackage/dist/fetch-guard.jsmatched "dns.lookup"30

Manifest

Package metadata

Scripts46
  • auditpnpm audit --prod
  • benchnode --import tsx bench/router.bench.ts
  • buildtsc -p tsconfig.build.json
  • coveragenode --import tsx --test --experimental-test-coverage --test-coverage-include='src/**' --test-coverage-lines=90 --test-coverage-functions=90 tests/**/*.test.ts
  • coverage:branchestsc -p tsconfig.coverage.json && node --test --experimental-test-coverage --test-coverage-include='dist-coverage/src/**' --test-coverage-branches=90 dist-coverage/tests/**/*.test.js
  • devtsc -w -p tsconfig.json
  • examplenode --import tsx examples/basic.ts
  • formatprettier --write .
  • genpnpm gen:openapi && pnpm gen:client
  • gen:clientopenapi-ts
  • gen:openapinode --import tsx scripts/dump-openapi.ts
  • gen:sbomnode --import tsx scripts/generate-sbom.ts --package-json ./package.json --out-cyclonedx ./dist/sbom.cdx.json --out-spdx ./dist/sbom.spdx.json && node --import tsx scripts/generate-sbom.ts --package-json ./packages/create-daloy/package.json --out-cyclonedx ./packages/create-daloy/sbom.cdx.json --out-spdx ./packages/create-daloy/sbom.spdx.json
  • hooks:installnode --import tsx scripts/install-git-hooks.ts
  • prepublishOnlypnpm build && pnpm gen:sbom
  • scan:staged-secretsnode --import tsx scripts/scan-staged-secrets.ts
  • testnode --import tsx --test tests/**/*.test.ts
  • typechecktsc --noEmit
  • verify:actions-pinnednode --import tsx scripts/verify-actions-pinned.ts
  • verify:dep-licensesnode --import tsx scripts/verify-dep-licenses.ts
  • verify:governance-auditsnode --import tsx scripts/verify-governance-audits.ts
  • verify:known-dep-namesnode --import tsx scripts/verify-known-dep-names.ts
  • verify:lockfilenode --import tsx scripts/verify-lockfile-sources.ts
  • verify:no-bin-shadowingnode --import tsx scripts/verify-no-bin-shadowing.ts
  • verify:no-encoded-payloadsnode --import tsx scripts/verify-no-encoded-payloads.ts
  • verify:no-invisible-unicodenode --import tsx scripts/verify-no-invisible-unicode.ts
  • verify:no-leaked-credentialsnode --import tsx scripts/verify-no-leaked-credentials.ts
  • verify:no-leaky-agent-skillsnode --import tsx scripts/verify-no-leaky-agent-skills.ts
  • verify:no-lifecycle-scriptsnode --import tsx scripts/verify-no-lifecycle-scripts.ts
  • verify:no-native-addonsnode --import tsx scripts/verify-no-native-addons.ts
  • verify:no-polyfill-cdnsnode --import tsx scripts/verify-no-polyfill-cdns.ts
  • …and 16 more.