Package evidence
@kaitranntt/[email protected]
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 966Established · −30% score
- First published
- Nov 2025
- Publisher
- kaitranntt
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@kaitranntt/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@kaitranntt/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
1 candidate cluster(s) currently reference this release.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (3 events)
- available → available · risk high · score 49 · status available -> available, risk high -> high, score 42 -> 49
- available → available · risk high · score 42 · status available -> available, risk high -> high, score 91 -> 42
- new → available · risk high · score 91 · status changed
Related candidates
Linked campaigns and clusters
Js Hidden Powershell — hidden / non-interactive powershell invocation in package code — `-windowstyle hidden`, `irm | iex`, `windowshide: true`, or equivalent — used to download-and-run payloads on windows installers.
194 members · evidence strength 90Js Hidden Powershell — hidden / non-interactive powershell invocation in package code — `-windowstyle hidden`, `irm | iex`, `windowshide: true`, or equivalent — used to download-and-run payloads on windows installers.
194 members · max score 186Evidence
Static findings
5 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/dist/utils/claude-detector.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| medium | Credential file access | package/dist/copilot/copilot-auth.js | matched "github_token" | 10 |
Show all 5 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/dist/utils/claude-detector.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| medium | Credential file access | package/dist/copilot/copilot-auth.js | matched "github_token" | 10 |
| low | Credential file access | package/lib/mcp/ccs-browser-server.cjs | matched ".npmrc" | 5 |
| low | Install-time lifecycle script | package.json | preinstall="node scripts/preinstall.js" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node scripts/postinstall.js" | 5 |
Manifest
Package metadata
Scripts37
buildtsc && node scripts/add-shebang.jsbuild:allbun run ui:build && bun run build:serverbuild:servertsc && node scripts/add-shebang.jsbuild:watchtsc --watchdevbun run build:server && node dist/ccs.js config --devdev:symlinkbash scripts/dev-symlink.shdev:unlinkbash scripts/dev-symlink.sh --restoreformatprettier --write src/format:checkprettier --check src/linteslint src/lint:fixeslint src/ --fixpostbuild:allnode scripts/verify-bundle.jspostinstallnode scripts/postinstall.jspostuninstallnode scripts/postuninstall.jsprebuildnode scripts/clean-dist.jsprebuild:allrm -rf dist tsconfig.tsbuildinfoprebuild:servernode scripts/clean-dist.jspreinstallnode scripts/preinstall.jsprepackbun run build:allpreparehuskyreport:hardeningnode scripts/hardening-inventory.jstestbun run build && bun run test:alltest:allnode scripts/run-test-bucket.js alltest:cibun run test:alltest:e2ebun test tests/e2e/ --bail --timeout 60000test:fastnode scripts/run-test-bucket.js fasttest:nativebash tests/native/unix/edge-cases.shtest:npmbun test tests/npm/test:slownode scripts/run-test-bucket.js slowtest:unitbun test tests/unit- …and 7 more.
Dependencies20
bcrypt^6.0.0boxen^5.1.2chalk^4.1.2chokidar^3.6.0cli-table3^0.6.5express^4.18.2express-rate-limit^8.2.1express-session^1.18.2get-port^5.1.1gradient-string^2.0.2http-proxy-agent^7.0.2https-proxy-agent^7.0.6js-yaml^4.1.1listr2^3.14.0open^8.4.2ora^5.4.1proper-lockfile^4.1.2smol-toml^1.6.1undici^5.29.0ws^8.16.0