Package evidence

@empathyinc/[email protected]

Large Javascript Payload, Suspicious Publish Context

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 3
First published: Jun 2026
Publisher: empathyinc

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@empathyinc/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@empathyinc/[email protected]"],"fail_on":"review"}'

Publisherempathyinc

Artifact bytes7,000,704

Previous versionnone

Published2026-06-21T00:45:46.383Z

SHA-25660ad739502ec0c898362843f8c978a7cca51297c051d37c5b81d6649faf909ec

Why flagged

What the scanner saw

Suspicious Publish Context

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

21h agoLast checked

reviewRisk

10Score

0.19.0Version

Status history (1 event)

new → available21h ago · risk review · score 10 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Suspicious Publish Context	manifest	—	10

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Suspicious Publish Context	manifest	—	10
low	Large Javascript Payload	package/dist/cli.mjs	—	0
low	Large Javascript Payload	package/dist/sdk.mjs	—	0

Manifest

Package metadata

Scripts 47

Dependencies63

@alcalzone/ansi-tokenize0.3.0
@anthropic-ai/bedrock-sdk0.29.1
@anthropic-ai/foundry-sdk0.2.3
@anthropic-ai/sandbox-runtime0.0.55
@anthropic-ai/sdk0.94.0
@anthropic-ai/vertex-sdk0.16.0
@commander-js/extra-typings12.1.0
@grpc/grpc-js^1.14.3
@grpc/proto-loader^0.8.0
@modelcontextprotocol/sdk1.29.0
@orama/orama^3.1.18
@orama/plugin-data-persistence^3.1.18
@vscode/ripgrep^1.17.1
ajv8.18.0
auto-bind5.0.1
axios1.16.0
bidi-js1.0.3
chalk5.6.2
chokidar4.0.3
cli-boxes3.0.0
cli-highlight2.1.11
commander12.1.0
cross-spawn7.0.6
diff8.0.3
duck-duck-scrape^2.2.7
emoji-regex10.6.0
env-paths3.0.0
execa9.6.1
fflate0.8.2
figures6.1.0
…and 33 more.