PkgRadar

Package evidence

@isentinel/[email protected]

Remote Payload: matched "wget "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@isentinel/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@isentinel/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes44,160,314
Previous version0.2.6
Published2026-04-22T17:56:48.777Z
SHA-256d733ed1c489954380eb445f796ac88d9efd6aebbed12f3374bc98aedca8f8462

Why flagged

What the scanner saw

Remote Payload: matched "wget "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
0.2.7Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/game-output-CCPIQMWm.mjsmatched "wget "12
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/game-output-CCPIQMWm.mjsmatched "wget "12
lowObfuscationpackage/dist/game-output-CCPIQMWm.mjsmatched "\\u23af"3

Manifest

Package metadata

Scripts10
  • buildpnpm build:packages && pnpm build:bundle && tsdown && pnpm build:plugin
  • build:bundledarklua process -c .darklua-bundle.json luau/entry.luau src/test-runner.bundled.luau
  • build:packagespnpm -r --filter !@isentinel/jest-roblox run build
  • build:pluginrm -rf plugin/out && darklua process -c .darklua-plugin.json luau/ plugin/out/shared/ && rojo build plugin/plugin.project.json -o plugin/JestRobloxRunner.rbxm
  • linteslint --cache
  • lint:cieslint --cache --cache-strategy content
  • releasebumpp
  • testnr typecheck && vitest run --coverage
  • typechecktsgo --build --emitDeclarationOnly
  • watchtsdown --watch
Dependencies16
  • @jridgewell/trace-mapping0.3.31
  • @roblox-ts/rojo-resolver1.1.0
  • arktype2.2.0
  • c124.0.0-beta.4
  • confbox0.2.4
  • defu6.1.6
  • get-tsconfig4.13.7
  • highlight.js11.11.1
  • istanbul-lib-coverage3.2.2
  • istanbul-lib-report3.0.1
  • istanbul-reports3.2.0
  • oxc-parser0.123.0
  • picomatch4.0.4
  • std-env4.0.0
  • tinyrainbow3.1.0
  • ws8.20.0