Package evidence
@drewling/[email protected]
Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 267
- Versions published
- 4
- First published
- Apr 2026
- Publisher
- tayoonabule
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@drewling/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@drewling/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 45 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Decode Then Exec | package/build/request-executor.js | base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. | 45 |
Manifest
Package metadata
Scripts12
buildtsc && shx chmod 755 build/index.jscheck:specnode scripts/check-spec-drift.jsdevtsc --watchfetch:specnode -e "const u=process.env.TWENTY_API_URL,k=process.env.TWENTY_API_KEY;if(!u||!k){console.error('Set TWENTY_API_URL and TWENTY_API_KEY');process.exit(1)}fetch(u.replace(/\/$/,'')+'/open-api/core',{headers:{Authorization:'Bearer '+k}}).then(r=>r.ok?r.text():Promise.reject(r.status)).then(t=>{require('fs').writeFileSync('openapi/twenty-core.json',t);console.log('Saved openapi/twenty-core.json')})"fetch:spec:metadatanode -e "const u=process.env.TWENTY_API_URL,k=process.env.TWENTY_API_KEY;if(!u||!k){console.error('Set TWENTY_API_URL and TWENTY_API_KEY');process.exit(1)}fetch(u.replace(/\/$/,'')+'/open-api/metadata',{headers:{Authorization:'Bearer '+k}}).then(r=>r.ok?r.text():Promise.reject(r.status)).then(t=>{require('fs').writeFileSync('openapi/twenty-metadata.json',t);console.log('Saved openapi/twenty-metadata.json')})"fetch:specsnpm run fetch:spec && npm run fetch:spec:metadataprestartnpm run buildregenopenapi-mcp-generator --input openapi/twenty-core.json --output . --server-name twenty-mcp --server-version 0.2.0 --transport stdio --forceregen:metadatanode scripts/gen-metadata-tools.jsstartnode build/index.jstestvitest runtypechecktsc --noEmit
Dependencies6
@modelcontextprotocol/sdk^1.10.0axios^1.9.0dotenv^16.4.5json-schema-to-zod^2.6.1pino^10.3.1zod^3.24.3