Package evidence
@hpcc-js/[email protected]
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 2,063Niche · −30% score
- Versions published
- 364Mature · −50% score
- First published
- Apr 2018
- Publisher
- hpcc-js
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@hpcc-js/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@hpcc-js/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 15 · status changed
Evidence
Static findings
11 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/dist/dist/12.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/19.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/28.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/31.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/34.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/42.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/45.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/52.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/64.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/67.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| high | Js Hidden Powershell | package/dist/dist/92.eclwatch.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
Manifest
Package metadata
Scripts23
buildnpm-run-all --parallel copy-res compile-amd --serial bundlebuild-devnpm-run-all --parallel copy-res compile-amd --serial bundle-devbundlewebpack --env production --config webpack.config.jsbundle-devwebpack --env development --config webpack.config.jsbundle-watchnpm run bundle-dev -- --watchcleanrimraf lib* types dist *.tsbuildinfocompile-amdtsccompile-watchnpm run compile-amd -- -wcopy-resrun-p copy-res-es6-promise copy-res-eclwatch-img copy-res-eclwatch-ecl copy-res-dojo copy-res-dojox copy-res-TopoJSON copy-res-font-awesome copy-res-stub_htmcopy-res-TopoJSONcpx "../../node_modules/@hpcc-js/map/TopoJSON/**/*" ./dist/dist/TopoJSON/copy-res-dojocpx "../../node_modules/dojo/resources/**/*.{png,jpg,gif}" ./dist/node_modules/dojo/resources/copy-res-dojoxcpx "../../node_modules/dojox/widget/ColorPicker/images/**/*.{png,jpg,gif}" ./dist/eclwatch/img/copy-res-eclwatch-eclcpx "../../eclwatch/ecl/**/*.*" ./dist/eclwatch/ecl/copy-res-eclwatch-imgcpx "../../eclwatch/img/**/*.{png,jpg,gif}" ./dist/eclwatch/img/copy-res-es6-promisecpx "../../node_modules/es6-promise/dist/es6-promise.auto.min.js" ./dist/distcopy-res-font-awesomecpx "../../node_modules/font-awesome/**/*" ./dist/dist/font-awesome/copy-res-stub_htmcpx "./stub.htm" ./dist/dev-startrun-p bundle-watch dev-start-wsdev-start-verbosews --verbose.include request responsedev-start-wswsjslintjshint --config ./.jshintrc ./eclwatchlintrun-s jslint tslinttslinttslint --project . src/**/*.ts