Package evidence
@jinhx128/[email protected]
Suspicious Publish Context: {"package_age_days":5,"publisher":"jinhx128","burst_same_day":0,"burst_week":0,"lure":null,"version_anomaly":false,"new_account":true}
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 2
- First published
- Jun 2026
- Publisher
- jinhx128
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@jinhx128/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@jinhx128/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Suspicious Publish Context: {"package_age_days":5,"publisher":"jinhx128","burst_same_day":0,"burst_week":0,"lure":null,"version_anomaly":false,"new_account":true}
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Suspicious Publish Context | manifest | {"package_age_days":5,"publisher":"jinhx128","burst_same_day":0,"burst_week":0,"lure":null,"version_anomaly":false,"new_account":true} | 10 |
Manifest
Package metadata
Scripts18
agentmeshnpm run build && node dist-node/packages/cli/src/cli.jsbuildnpm run build:node && npm run build:studio-frontendbuild:nodenode -e "require('node:fs').rmSync('dist-node', { recursive: true, force: true })" && tsc -p tsconfig.json && node scripts/rewrite-package-imports.mjs && node -e "require('node:fs').chmodSync('dist-node/packages/cli/src/cli.js', 0o755)"build:studio-frontendvite build --config apps/studio-web/vite.config.tsbuild:workspacesnpm run build --workspaces --if-presentchecknpm testcheck:boundariesnode scripts/check-boundaries.mjscli:install-smokenpm run build && node --test --test-name-pattern "root CLI pack installs and runs in a clean project" dist-node/tests-node/package-structure.test.jsrelease:assetsnode scripts/github-release.mjs --prepare-onlyrelease:githubnode scripts/github-release.mjsrelease:github:verifynode scripts/github-release.mjs --verify-onlystudionpm run build && node dist-node/apps/studio/src/main.jsstudio-desktopnpm run build && node dist-node/apps/studio-desktop/src/main.jsstudio-desktop:package:devnpm run build && node dist-node/apps/studio-desktop/src/sidecar-bundle.js --verify && node dist-node/apps/studio-desktop/src/distribution-smoke.js --mode devstudio-desktop:package:signednpm run build && node dist-node/apps/studio-desktop/src/sidecar-bundle.js --verify && node dist-node/apps/studio-desktop/src/distribution-smoke.js --mode signedstudio-desktop:sidecar:bundlenpm run build && node dist-node/apps/studio-desktop/src/sidecar-bundle.js --verifystudio-desktop:update:metadatanpm run build && node dist-node/apps/studio-desktop/src/sidecar-bundle.js --verify && node dist-node/apps/studio-desktop/src/distribution-smoke.js --mode metadatatestnpm run build && node --test dist-node/tests-node/*.test.js
Dependencies3
@modelcontextprotocol/sdk1.29.0smol-toml^1.6.1zod^4.4.3